CVE-2008-7220

NameCVE-2008-7220
DescriptionUnspecified vulnerability in Prototype JavaScript framework (prototypejs) before 1.6.0.2 allows attackers to make "cross-site ajax requests" via unknown vectors.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-1952-1
NVD severityhigh (attack range: remote)
Debian Bugs555217, 555220, 555221, 555223, 555225, 555228, 555229, 555231, 555232, 555234, 555235, 555237, 555239, 555240, 555242, 555244, 555246, 555248, 555250, 555255, 555259, 555263, 555266, 555268, 555274, 558977

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
asterisk (PTS)jessie (security), jessie1:11.13.1~dfsg-2+deb8u5fixed
stretch (security), stretch1:13.14.1~dfsg-2+deb9u3fixed
buster, sid1:13.22.0~dfsg-1fixed
auth2db (PTS)jessie0.2.5-2+dfsg-5fixed
exaile (PTS)jessie3.4.0.2-1fixed
glpi (PTS)jessie0.84.8+dfsg.1-1fixed
jquery (PTS)jessie1.7.2+dfsg-3.2fixed
stretch3.1.1-2fixed
buster, sid3.2.1-1fixed
jscropperui (PTS)buster, sid, jessie, stretch1.2.2-1fixed
libaws (PTS)jessie3.2.0-3fixed
stretch3.3.2-2fixed
buster, sid17.2.2017-2fixed
libhtml-prototype-perl (PTS)jessie1.48-4fixed
buster, sid, stretch1.48-5fixed
lucene2 (PTS)jessie2.9.4+ds1-4fixed
buster, sid, stretch2.9.4+ds1-6fixed
otrs2 (PTS)stretch/non-free (security), stretch/non-free5.0.16-1+deb9u5fixed
sid/non-free, buster/non-free6.0.10-1fixed
jessie (security), jessie3.3.18-1+deb8u4fixed
passenger (PTS)buster, sid, stretch5.0.30-1fixed
prototypejs (PTS)buster, sid, jessie, stretch1.7.1-3fixed
scriptaculous (PTS)buster, sid, jessie, stretch1.9.0-2fixed
symfony (PTS)jessie (security), jessie2.3.21+dfsg-4+deb8u3fixed
stretch2.8.7+dfsg-1.3fixed
stretch (security)2.8.7+dfsg-1.3+deb9u1fixed
buster, sid3.4.14+dfsg-1fixed
webcit (PTS)jessie8.24-dfsg-1fixed
stretch902-dfsg-4fixed
buster, sid917-dfsg-2fixed
webhelpers (PTS)buster, sid, jessie, stretch1.3-4fixed
wordpress (PTS)jessie4.1+dfsg-1+deb8u17fixed
jessie (security)4.1+dfsg-1+deb8u18fixed
stretch4.7.5+dfsg-2+deb9u3fixed
stretch (security)4.7.5+dfsg-2+deb9u4fixed
buster, sid4.9.7+dfsg1-1fixed
zabbix (PTS)jessie (security), jessie1:2.2.7+dfsg-2+deb8u3fixed
stretch1:3.0.7+dfsg-3fixed
buster, sid1:3.0.17+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
activeldapsource(unstable)1.0.9-1unimportant555263
asterisksource(unstable)1:1.6.2.0~rc3-1low555220
asterisksourceetch(unfixed)end-of-life
asterisksourcelenny1:1.4.21.2~dfsg-3+lenny1highDSA-1952-1
auth2dbsource(unstable)0.2.5-2+dfsg-1low555217
chora2source(unstable)(not affected)
ebug-httpsource(unstable)0.31-2.1low555235
exailesource(unstable)0.2.14+debian-2.2low555244
glpisource(unstable)0.72.3-1low555228
gollemsource(unstable)(not affected)
hobixsource(unstable)0.5~svn20070319-4low555246
ingo1source(unstable)(not affected)
jiftysource(unstable)(not affected)
jquerysource(unstable)(not affected)
jscropperuisource(unstable)1.2.1-1low555255
knowledgerootsource(unstable)0.9.9.5-1low555229
knowledgerootsourcelenny(not affected)
kronolith2source(unstable)(not affected)
libawssource(unstable)2.7-1low555221
libhtml-prototype-perlsource(unstable)1.48-3low558977
libjson-rubysource(unstable)1.1.4-1low555223
libjson-rubysourcelenny1.1.2-1+lenny1high
lucene2source(unstable)2.9.1+ds1-2unimportant555225
lucene2sourceetch(not affected)
mediatombsource(unstable)0.12.0~svn2018-5low555232
mt-daapdsource(unstable)0.9~r1696.dfsg-6low555231
mt-daapdsourceetch0.2.4+r1376-1.1+etch3high
op-panelsource(unstable)0.30~dfsg-1low555234
otrs2source(unstable)2.3.4-6low555266
otrs2sourceetch(not affected)
otrs2sourcelenny(not affected)
passengersource(unstable)(not affected)
pixelpostsource(unstable)1.7.1-6low555248
plone3source(unstable)(unfixed)low555274
poker-networksource(unstable)1.7.6-1low555237
prototypejssource(unstable)1.6.0.2-1high
qwiksource(unstable)(unfixed)low555240
rt-extension-emailcompletionsource(unstable)(not affected)
scriptaculoussource(unstable)1.8.3-1low555259
symfonysource(unstable)1.0.21-1.1low555250
webcalendarsource(unstable)1.2~b1-2low555268
webcalendarsourcelenny(not affected)
webcitsource(unstable)(not affected)
webhelperssource(unstable)0.3.4-2low555239
wesnothsource(unstable)(not affected)
wordpresssource(unstable)2.5.0-2low555242
wordpresssourceetch(not affected)
zabbixsource(unstable)(not affected)

Notes

[etch] - asterisk <end-of-life> (Etch Packages no longer covered by security support)
[lenny] - asterisk <no-dsa> (Minor issue)
[etch] - libaws <no-dsa> (minor issue)
[lenny] - libaws <no-dsa> (minor issue)
[etch] - lucene2 <not-affected> (prototype.js not present)
prototype.js copy unused per #555225
[etch] - glpi <no-dsa> (minor issue)
[lenny] - glpi <no-dsa> (minor issue)
[etch] - knowledgeroot <no-dsa> (minor issue)
[lenny] - knowledgeroot <not-affected> (Vulnerable code not present)
[lenny] - mediatomb <no-dsa> (minor issue)
[lenny] - ebug-http <no-dsa> (Minor issue)
[etch] - poker-network <no-dsa> (minor issue)
[etch] - qwik <no-dsa> (minor issue)
[lenny] - qwik <no-dsa> (minor issue)
[etch] - wordpress <not-affected> (prototype.js not present)
[lenny] - exaile <no-dsa> (minor issue)
[lenny] - hobix <no-dsa> (minor issue)
[lenny] - pixelpost <no-dsa> (minor issue)
[lenny] - symfony <no-dsa> (minor issue)
[lenny] - jscropperui <no-dsa> (minor issue)
- rt-extension-emailcompletion <not-affected> (prototype.js not included in the binary package; bug #555258)
[lenny] - scriptaculous <no-dsa> (Minor issue)
Only shipped in an example
[etch] - otrs2 <not-affected> (prototype.js not present)
[lenny] - otrs2 <not-affected> (prototype.js not present)
[lenny] - webcalendar <not-affected> (prototype.js not present)
[etch] - libhtml-prototype-perl <no-dsa> (minor issue)
[lenny] - libhtml-prototype-perl <no-dsa> (minor issue)
- wesnoth <not-affected> (prototype.js not included in any of the binary packages; bug #555266)
- webcit <not-affected> (fixed since initial inclusion)
- zabbix <not-affected> (fixed since initial inclusion)
- chora2 <not-affected> (fixed since initial inclusion)
- gollem <not-affected> (fixed since initial inclusion)
- ingo1 <not-affected> (fixed since initial inclusion)
- kronolith2 <not-affected> (fixed since initial inclusion)
- jifty <not-affected> (fixed since initial inclusion)
- jquery <not-affected> (fixed since initial inclusion)
- passenger <not-affected> (fixed since initial inclusion)

Search for package or bug name: Reporting problems