CVE-2008-7220

NameCVE-2008-7220
DescriptionUnspecified vulnerability in Prototype JavaScript framework (prototypejs) before 1.6.0.2 allows attackers to make "cross-site ajax requests" via unknown vectors.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-1952-1
Debian Bugs555217, 555220, 555221, 555223, 555225, 555228, 555229, 555231, 555232, 555234, 555235, 555237, 555239, 555240, 555242, 555244, 555246, 555248, 555250, 555255, 555259, 555263, 555266, 555268, 555274, 558977

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
asterisk (PTS)bullseye1:16.28.0~dfsg-0+deb11u4fixed
bullseye (security)1:16.28.0~dfsg-0+deb11u5fixed
sid1:22.1.0~dfsg+~cs6.14.60671435-1fixed
exaile (PTS)sid, trixie4.1.3+dfsg-4fixed
jscropperui (PTS)bookworm, bullseye1.2.2-1.1fixed
sid, trixie1.2.2-2fixed
libaws (PTS)bullseye20.2-2fixed
libhtml-prototype-perl (PTS)bullseye1.48-5.1fixed
sid, trixie, bookworm1.48-6fixed
otrs2 (PTS)bullseye/non-free6.0.32-6fixed
passenger (PTS)bullseye5.0.30-1.2+deb11u1fixed
bookworm6.0.17+ds-1fixed
sid, trixie6.0.20+ds-1fixed
prototypejs (PTS)bullseye1.7.1-3.1fixed
bookworm1.7.3-1fixed
sid, trixie1.7.3-2fixed
scriptaculous (PTS)bullseye1.9.0-2.1fixed
bookworm1.9.0-3fixed
sid, trixie1.9.0-4fixed
symfony (PTS)bullseye4.4.19+dfsg-2+deb11u6fixed
bookworm5.4.23+dfsg-1+deb12u2fixed
bookworm (security)5.4.23+dfsg-1+deb12u4fixed
sid, trixie6.4.16+dfsg-1fixed
wordpress (PTS)bullseye (security), bullseye5.7.11+dfsg1-0+deb11u1fixed
bookworm, bookworm (security)6.1.6+dfsg1-0+deb12u1fixed
sid, trixie6.6.1+dfsg1-1fixed
zabbix (PTS)bullseye1:5.0.8+dfsg-1fixed
bullseye (security)1:5.0.45+dfsg-1+deb11u1fixed
bookworm1:6.0.14+dfsg-1fixed
sid, trixie1:7.0.6+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
activeldapsource(unstable)1.0.9-1unimportant555263
asterisksourceetch(unfixed)end-of-life
asterisksourcelenny1:1.4.21.2~dfsg-3+lenny1DSA-1952-1
asterisksource(unstable)1:1.6.2.0~rc3-1low555220
auth2dbsource(unstable)0.2.5-2+dfsg-1low555217
chora2source(unstable)(not affected)
ebug-httpsource(unstable)0.31-2.1low555235
exailesource(unstable)0.2.14+debian-2.2low555244
glpisource(unstable)0.72.3-1low555228
gollemsource(unstable)(not affected)
hobixsource(unstable)0.5~svn20070319-4low555246
ingo1source(unstable)(not affected)
jiftysource(unstable)(not affected)
jquerysource(unstable)(not affected)
jscropperuisource(unstable)1.2.1-1low555255
knowledgerootsourcelenny(not affected)
knowledgerootsource(unstable)0.9.9.5-1low555229
kronolith2source(unstable)(not affected)
libawssource(unstable)2.7-1low555221
libhtml-prototype-perlsource(unstable)1.48-3low558977
libjson-rubysourcelenny1.1.2-1+lenny1
libjson-rubysource(unstable)1.1.4-1low555223
lucene2sourceetch(not affected)
lucene2source(unstable)2.9.1+ds1-2unimportant555225
mediatombsource(unstable)0.12.0~svn2018-5low555232
mt-daapdsourceetch0.2.4+r1376-1.1+etch3
mt-daapdsource(unstable)0.9~r1696.dfsg-6low555231
op-panelsource(unstable)0.30~dfsg-1low555234
otrs2sourceetch(not affected)
otrs2sourcelenny(not affected)
otrs2source(unstable)2.3.4-6low555266
passengersource(unstable)(not affected)
pixelpostsource(unstable)1.7.1-6low555248
plone3source(unstable)(unfixed)low555274
poker-networksource(unstable)1.7.6-1low555237
prototypejssource(unstable)1.6.0.2-1
qwiksource(unstable)(unfixed)low555240
rt-extension-emailcompletionsource(unstable)(not affected)
scriptaculoussource(unstable)1.8.3-1low555259
symfonysource(unstable)1.0.21-1.1low555250
webcalendarsourcelenny(not affected)
webcalendarsource(unstable)1.2~b1-2low555268
webcitsource(unstable)(not affected)
webhelperssource(unstable)0.3.4-2low555239
wesnothsource(unstable)(not affected)
wordpresssourceetch(not affected)
wordpresssource(unstable)2.5.0-2low555242
zabbixsource(unstable)(not affected)

Notes

[etch] - asterisk <end-of-life> (Etch Packages no longer covered by security support)
[lenny] - asterisk <no-dsa> (Minor issue)
[etch] - libaws <no-dsa> (minor issue)
[lenny] - libaws <no-dsa> (minor issue)
[etch] - lucene2 <not-affected> (prototype.js not present)
prototype.js copy unused per #555225
[etch] - glpi <no-dsa> (minor issue)
[lenny] - glpi <no-dsa> (minor issue)
[etch] - knowledgeroot <no-dsa> (minor issue)
[lenny] - knowledgeroot <not-affected> (Vulnerable code not present)
[lenny] - mediatomb <no-dsa> (minor issue)
[lenny] - ebug-http <no-dsa> (Minor issue)
[etch] - poker-network <no-dsa> (minor issue)
[etch] - qwik <no-dsa> (minor issue)
[lenny] - qwik <no-dsa> (minor issue)
[etch] - wordpress <not-affected> (prototype.js not present)
[lenny] - exaile <no-dsa> (minor issue)
[lenny] - hobix <no-dsa> (minor issue)
[lenny] - pixelpost <no-dsa> (minor issue)
[lenny] - symfony <no-dsa> (minor issue)
[lenny] - jscropperui <no-dsa> (minor issue)
- rt-extension-emailcompletion <not-affected> (prototype.js not included in the binary package; bug #555258)
[lenny] - scriptaculous <no-dsa> (Minor issue)
Only shipped in an example
[etch] - otrs2 <not-affected> (prototype.js not present)
[lenny] - otrs2 <not-affected> (prototype.js not present)
[lenny] - webcalendar <not-affected> (prototype.js not present)
[etch] - libhtml-prototype-perl <no-dsa> (minor issue)
[lenny] - libhtml-prototype-perl <no-dsa> (minor issue)
- wesnoth <not-affected> (prototype.js not included in any of the binary packages; bug #555266)
- webcit <not-affected> (fixed since initial inclusion)
- zabbix <not-affected> (fixed since initial inclusion)
- chora2 <not-affected> (fixed since initial inclusion)
- gollem <not-affected> (fixed since initial inclusion)
- ingo1 <not-affected> (fixed since initial inclusion)
- kronolith2 <not-affected> (fixed since initial inclusion)
- jifty <not-affected> (fixed since initial inclusion)
- jquery <not-affected> (fixed since initial inclusion)
- passenger <not-affected> (fixed since initial inclusion)

Search for package or bug name: Reporting problems