CVE-2008-7220

NameCVE-2008-7220
DescriptionUnspecified vulnerability in Prototype JavaScript framework (prototypejs) before 1.6.0.2 allows attackers to make "cross-site ajax requests" via unknown vectors.
SourceCVE (at NVD; LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-1952-1
NVD severityhigh (attack range: remote)
Debian Bugs555217, 555220, 555221, 555223, 555225, 555228, 555229, 555231, 555232, 555234, 555235, 555237, 555239, 555240, 555242, 555244, 555246, 555248, 555250, 555255, 555259, 555263, 555266, 555268, 555274, 558977

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
asterisk (PTS)wheezy1:1.8.13.1~dfsg1-3+deb7u3fixed
wheezy (security)1:1.8.13.1~dfsg1-3+deb7u4fixed
jessie1:11.13.1~dfsg-2fixed
stretch1:13.7.2~dfsg-1fixed
sid1:13.8.2~dfsg-1fixed
auth2db (PTS)wheezy0.2.5-2+dfsg-4fixed
sid, jessie0.2.5-2+dfsg-5fixed
exaile (PTS)wheezy0.3.2.2-3fixed
jessie3.4.0.2-1fixed
glpi (PTS)wheezy0.83.31-1fixed
sid, jessie0.84.8+dfsg.1-1fixed
jifty (PTS)wheezy1.10518+dfsg-2fixed
jquery (PTS)wheezy1.7.2+dfsg-1fixed
jessie1.7.2+dfsg-3.2fixed
stretch, sid1.12.3-1fixed
jscropperui (PTS)stretch, sid, jessie, wheezy1.2.2-1fixed
knowledgeroot (PTS)wheezy0.9.9.5-6fixed
libaws (PTS)wheezy2.10.2-4fixed
jessie3.2.0-3fixed
stretch, sid3.2.0-4fixed
libhtml-prototype-perl (PTS)wheezy1.48-3fixed
jessie1.48-4fixed
stretch, sid1.48-5fixed
lucene2 (PTS)jessie, wheezy2.9.4+ds1-4fixed
stretch, sid2.9.4+ds1-5fixed
mediatomb (PTS)wheezy0.12.1-4+deb7u1fixed
stretch, sid0.12.1-47-g7ab7616-1fixed
op-panel (PTS)wheezy0.30~dfsg-3fixed
otrs2 (PTS)wheezy (security), wheezy3.1.7+dfsg1-8+deb7u5fixed
jessie3.3.9-3fixed
stretch, sid5.0.10-1fixed
passenger (PTS)stretch, sid5.0.27-2fixed
prototypejs (PTS)wheezy1.7.0-2fixed
stretch, sid, jessie1.7.1-3fixed
scriptaculous (PTS)stretch, sid, jessie, wheezy1.9.0-2fixed
symfony (PTS)jessie (security), jessie2.3.21+dfsg-4+deb8u2fixed
stretch, sid2.8.6+dfsg-1fixed
webcit (PTS)wheezy8.14-dfsg-1fixed
jessie8.24-dfsg-1fixed
stretch, sid902-dfsg-1fixed
webhelpers (PTS)stretch, sid, jessie, wheezy1.3-4fixed
wordpress (PTS)wheezy (security), wheezy3.6.1+dfsg-1~deb7u10fixed
jessie (security), jessie4.1+dfsg-1+deb8u8fixed
stretch, sid4.5.2+dfsg-1fixed
zabbix (PTS)jessie1:2.2.7+dfsg-2fixed
stretch1:3.0.2+dfsg-1fixed
sid1:3.0.3+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
activeldapsource(unstable)1.0.9-1unimportant555263
asterisksource(unstable)1:1.6.2.0~rc3-1low555220
asterisksourceetch(unfixed)end-of-life
asterisksourcelenny1:1.4.21.2~dfsg-3+lenny1highDSA-1952-1
auth2dbsource(unstable)0.2.5-2+dfsg-1low555217
chora2source(unstable)(not affected)
ebug-httpsource(unstable)0.31-2.1low555235
exailesource(unstable)0.2.14+debian-2.2low555244
glpisource(unstable)0.72.3-1low555228
gollemsource(unstable)(not affected)
hobixsource(unstable)0.5~svn20070319-4low555246
ingo1source(unstable)(not affected)
jiftysource(unstable)(not affected)
jquerysource(unstable)(not affected)
jscropperuisource(unstable)1.2.1-1low555255
knowledgerootsource(unstable)0.9.9.5-1low555229
knowledgerootsourcelenny(not affected)
kronolith2source(unstable)(not affected)
libawssource(unstable)2.7-1low555221
libhtml-prototype-perlsource(unstable)1.48-3low558977
libjson-rubysource(unstable)1.1.4-1low555223
libjson-rubysourcelenny1.1.2-1+lenny1high
lucene2source(unstable)2.9.1+ds1-2unimportant555225
lucene2sourceetch(not affected)
mediatombsource(unstable)0.12.0~svn2018-5low555232
mt-daapdsource(unstable)0.9~r1696.dfsg-6low555231
mt-daapdsourceetch0.2.4+r1376-1.1+etch3high
op-panelsource(unstable)0.30~dfsg-1low555234
otrs2source(unstable)2.3.4-6low555266
otrs2sourceetch(not affected)
otrs2sourcelenny(not affected)
passengersource(unstable)(not affected)
pixelpostsource(unstable)1.7.1-6low555248
plone3source(unstable)(unfixed)low555274
poker-networksource(unstable)1.7.6-1low555237
prototypejssource(unstable)1.6.0.2-1high
qwiksource(unstable)(unfixed)low555240
rt-extension-emailcompletionsource(unstable)(not affected)
scriptaculoussource(unstable)1.8.3-1low555259
symfonysource(unstable)1.0.21-1.1low555250
webcalendarsource(unstable)1.2~b1-2low555268
webcalendarsourcelenny(not affected)
webcitsource(unstable)(not affected)
webhelperssource(unstable)0.3.4-2low555239
wesnothsource(unstable)(not affected)
wordpresssource(unstable)2.5.0-2low555242
wordpresssourceetch(not affected)
zabbixsource(unstable)(not affected)

Notes

[etch] - asterisk <end-of-life> (Etch Packages no longer covered by security support)
[lenny] - asterisk <no-dsa> (Minor issue)
[etch] - libaws <no-dsa> (minor issue)
[lenny] - libaws <no-dsa> (minor issue)
[etch] - lucene2 <not-affected> (prototype.js not present)
prototype.js copy unused per #555225
[etch] - glpi <no-dsa> (minor issue)
[lenny] - glpi <no-dsa> (minor issue)
[etch] - knowledgeroot <no-dsa> (minor issue)
[lenny] - knowledgeroot <not-affected> (Vulnerable code not present)
[lenny] - mediatomb <no-dsa> (minor issue)
[lenny] - ebug-http <no-dsa> (Minor issue)
[etch] - poker-network <no-dsa> (minor issue)
[etch] - qwik <no-dsa> (minor issue)
[lenny] - qwik <no-dsa> (minor issue)
[etch] - wordpress <not-affected> (prototype.js not present)
[lenny] - exaile <no-dsa> (minor issue)
[lenny] - hobix <no-dsa> (minor issue)
[lenny] - pixelpost <no-dsa> (minor issue)
[lenny] - symfony <no-dsa> (minor issue)
[lenny] - jscropperui <no-dsa> (minor issue)
- rt-extension-emailcompletion <not-affected> (prototype.js not included in the binary package; bug #555258)
[lenny] - scriptaculous <no-dsa> (Minor issue)
Only shipped in an example
[etch] - otrs2 <not-affected> (prototype.js not present)
[lenny] - otrs2 <not-affected> (prototype.js not present)
[lenny] - webcalendar <not-affected> (prototype.js not present)
[etch] - libhtml-prototype-perl <no-dsa> (minor issue)
[lenny] - libhtml-prototype-perl <no-dsa> (minor issue)
- wesnoth <not-affected> (prototype.js not included in any of the binary packages; bug #555266)
- webcit <not-affected> (fixed since initial inclusion)
- zabbix <not-affected> (fixed since initial inclusion)
- chora2 <not-affected> (fixed since initial inclusion)
- gollem <not-affected> (fixed since initial inclusion)
- ingo1 <not-affected> (fixed since initial inclusion)
- kronolith2 <not-affected> (fixed since initial inclusion)
- jifty <not-affected> (fixed since initial inclusion)
- jquery <not-affected> (fixed since initial inclusion)
- passenger <not-affected> (fixed since initial inclusion)

Search for package or bug name: Reporting problems