DescriptionThe Yahoo! UI framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs557745, 557746, 557748

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bcfg2 (PTS)buster1.4.0~pre2+git141-g6d40dace6358-2fixed
loggerhead (PTS)bullseye1.19~bzr511-1fixed
bookworm, sid2.0.1+bzr541+ds-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
bcfg2source(unstable)(not affected)
loggerheadsource(unstable)(not affected)
moodlesource(unstable)(not affected)
webguisource(unstable)(not affected)


- bcfg2 <not-affected> (present in source but not included in any binary files)
- moodle <not-affected> (uses system libjs-yui)
- webgui <not-affected> (uses system libjs-yui)
- loggerhead <not-affected> (uses system libjs-yui)
This allows to steal data from affected websites. Therefore web applications should
only be considered vunerabile if they process confidential data.
The frameworks should be fixed in any case.

Search for package or bug name: Reporting problems