| Name | CVE-2008-7220 |
| Description | Unspecified vulnerability in Prototype JavaScript framework (prototypejs) before 1.6.0.2 allows attackers to make "cross-site ajax requests" via unknown vectors. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-1952-1 |
| Debian Bugs | 555217, 555220, 555221, 555223, 555225, 555228, 555229, 555231, 555232, 555234, 555235, 555237, 555239, 555240, 555242, 555244, 555246, 555248, 555250, 555255, 555259, 555263, 555266, 555268, 555274, 558977 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| asterisk (PTS) | buster | 1:16.2.1~dfsg-1+deb10u2 | fixed |
| buster (security) | 1:16.28.0~dfsg-0+deb10u4 | fixed | |
| bullseye | 1:16.28.0~dfsg-0+deb11u3 | fixed | |
| bullseye (security) | 1:16.28.0~dfsg-0+deb11u4 | fixed | |
| sid | 1:20.6.0~dfsg+~cs6.13.40431414-2 | fixed | |
| exaile (PTS) | sid, trixie | 4.1.3+dfsg-3 | fixed |
| jquery (PTS) | buster | 3.3.1~dfsg-3+deb10u1 | fixed |
| jscropperui (PTS) | buster | 1.2.2-1 | fixed |
| bookworm, bullseye | 1.2.2-1.1 | fixed | |
| sid, trixie | 1.2.2-2 | fixed | |
| libaws (PTS) | buster | 19.0-2 | fixed |
| bullseye, sid | 20.2-2 | fixed | |
| libhtml-prototype-perl (PTS) | buster | 1.48-5 | fixed |
| bullseye | 1.48-5.1 | fixed | |
| bookworm, sid, trixie | 1.48-6 | fixed | |
| otrs2 (PTS) | buster/non-free | 6.0.16-2 | fixed |
| buster/non-free (security) | 6.0.16-2+deb10u1 | fixed | |
| bullseye/non-free | 6.0.32-6 | fixed | |
| passenger (PTS) | buster | 5.0.30-1.1 | fixed |
| bullseye | 5.0.30-1.2+deb11u1 | fixed | |
| bookworm, trixie | 6.0.17+ds-1 | fixed | |
| sid | 6.0.20+ds-1 | fixed | |
| prototypejs (PTS) | buster | 1.7.1-3 | fixed |
| bullseye | 1.7.1-3.1 | fixed | |
| bookworm, sid, trixie | 1.7.3-1 | fixed | |
| scriptaculous (PTS) | buster | 1.9.0-2 | fixed |
| bullseye | 1.9.0-2.1 | fixed | |
| bookworm, sid, trixie | 1.9.0-3 | fixed | |
| symfony (PTS) | buster | 3.4.22+dfsg-2+deb10u1 | fixed |
| buster (security) | 3.4.22+dfsg-2+deb10u3 | fixed | |
| bullseye | 4.4.19+dfsg-2+deb11u4 | fixed | |
| bookworm | 5.4.23+dfsg-1+deb12u1 | fixed | |
| sid, trixie | 6.4.6+dfsg-1 | fixed | |
| webcit (PTS) | buster | 917-dfsg-2 | fixed |
| webhelpers (PTS) | buster | 1.3-4 | fixed |
| wordpress (PTS) | buster | 5.0.15+dfsg1-0+deb10u1 | fixed |
| buster (security) | 5.0.21+dfsg1-0+deb10u1 | fixed | |
| bullseye (security), bullseye | 5.7.8+dfsg1-0+deb11u2 | fixed | |
| bookworm | 6.1.1+dfsg1-1 | fixed | |
| trixie | 6.5+dfsg1-1 | fixed | |
| sid | 6.5.2+dfsg1-1 | fixed | |
| zabbix (PTS) | buster | 1:4.0.4+dfsg-1 | fixed |
| buster (security) | 1:4.0.4+dfsg-1+deb10u4 | fixed | |
| bullseye | 1:5.0.8+dfsg-1 | fixed | |
| bookworm | 1:6.0.14+dfsg-1 | fixed | |
| sid | 1:6.0.25+dfsg-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| activeldap | source | (unstable) | 1.0.9-1 | unimportant | 555263 | |
| asterisk | source | etch | (unfixed) | end-of-life | ||
| asterisk | source | lenny | 1:1.4.21.2~dfsg-3+lenny1 | DSA-1952-1 | ||
| asterisk | source | (unstable) | 1:1.6.2.0~rc3-1 | low | 555220 | |
| auth2db | source | (unstable) | 0.2.5-2+dfsg-1 | low | 555217 | |
| chora2 | source | (unstable) | (not affected) | |||
| ebug-http | source | (unstable) | 0.31-2.1 | low | 555235 | |
| exaile | source | (unstable) | 0.2.14+debian-2.2 | low | 555244 | |
| glpi | source | (unstable) | 0.72.3-1 | low | 555228 | |
| gollem | source | (unstable) | (not affected) | |||
| hobix | source | (unstable) | 0.5~svn20070319-4 | low | 555246 | |
| ingo1 | source | (unstable) | (not affected) | |||
| jifty | source | (unstable) | (not affected) | |||
| jquery | source | (unstable) | (not affected) | |||
| jscropperui | source | (unstable) | 1.2.1-1 | low | 555255 | |
| knowledgeroot | source | lenny | (not affected) | |||
| knowledgeroot | source | (unstable) | 0.9.9.5-1 | low | 555229 | |
| kronolith2 | source | (unstable) | (not affected) | |||
| libaws | source | (unstable) | 2.7-1 | low | 555221 | |
| libhtml-prototype-perl | source | (unstable) | 1.48-3 | low | 558977 | |
| libjson-ruby | source | lenny | 1.1.2-1+lenny1 | |||
| libjson-ruby | source | (unstable) | 1.1.4-1 | low | 555223 | |
| lucene2 | source | etch | (not affected) | |||
| lucene2 | source | (unstable) | 2.9.1+ds1-2 | unimportant | 555225 | |
| mediatomb | source | (unstable) | 0.12.0~svn2018-5 | low | 555232 | |
| mt-daapd | source | etch | 0.2.4+r1376-1.1+etch3 | |||
| mt-daapd | source | (unstable) | 0.9~r1696.dfsg-6 | low | 555231 | |
| op-panel | source | (unstable) | 0.30~dfsg-1 | low | 555234 | |
| otrs2 | source | etch | (not affected) | |||
| otrs2 | source | lenny | (not affected) | |||
| otrs2 | source | (unstable) | 2.3.4-6 | low | 555266 | |
| passenger | source | (unstable) | (not affected) | |||
| pixelpost | source | (unstable) | 1.7.1-6 | low | 555248 | |
| plone3 | source | (unstable) | (unfixed) | low | 555274 | |
| poker-network | source | (unstable) | 1.7.6-1 | low | 555237 | |
| prototypejs | source | (unstable) | 1.6.0.2-1 | |||
| qwik | source | (unstable) | (unfixed) | low | 555240 | |
| rt-extension-emailcompletion | source | (unstable) | (not affected) | |||
| scriptaculous | source | (unstable) | 1.8.3-1 | low | 555259 | |
| symfony | source | (unstable) | 1.0.21-1.1 | low | 555250 | |
| webcalendar | source | lenny | (not affected) | |||
| webcalendar | source | (unstable) | 1.2~b1-2 | low | 555268 | |
| webcit | source | (unstable) | (not affected) | |||
| webhelpers | source | (unstable) | 0.3.4-2 | low | 555239 | |
| wesnoth | source | (unstable) | (not affected) | |||
| wordpress | source | etch | (not affected) | |||
| wordpress | source | (unstable) | 2.5.0-2 | low | 555242 | |
| zabbix | source | (unstable) | (not affected) |
[etch] - asterisk <end-of-life> (Etch Packages no longer covered by security support)
[lenny] - asterisk <no-dsa> (Minor issue)
[etch] - libaws <no-dsa> (minor issue)
[lenny] - libaws <no-dsa> (minor issue)
[etch] - lucene2 <not-affected> (prototype.js not present)
prototype.js copy unused per #555225
[etch] - glpi <no-dsa> (minor issue)
[lenny] - glpi <no-dsa> (minor issue)
[etch] - knowledgeroot <no-dsa> (minor issue)
[lenny] - knowledgeroot <not-affected> (Vulnerable code not present)
[lenny] - mediatomb <no-dsa> (minor issue)
[lenny] - ebug-http <no-dsa> (Minor issue)
[etch] - poker-network <no-dsa> (minor issue)
[etch] - qwik <no-dsa> (minor issue)
[lenny] - qwik <no-dsa> (minor issue)
[etch] - wordpress <not-affected> (prototype.js not present)
[lenny] - exaile <no-dsa> (minor issue)
[lenny] - hobix <no-dsa> (minor issue)
[lenny] - pixelpost <no-dsa> (minor issue)
[lenny] - symfony <no-dsa> (minor issue)
[lenny] - jscropperui <no-dsa> (minor issue)
- rt-extension-emailcompletion <not-affected> (prototype.js not included in the binary package; bug #555258)
[lenny] - scriptaculous <no-dsa> (Minor issue)
Only shipped in an example
[etch] - otrs2 <not-affected> (prototype.js not present)
[lenny] - otrs2 <not-affected> (prototype.js not present)
[lenny] - webcalendar <not-affected> (prototype.js not present)
[etch] - libhtml-prototype-perl <no-dsa> (minor issue)
[lenny] - libhtml-prototype-perl <no-dsa> (minor issue)
- wesnoth <not-affected> (prototype.js not included in any of the binary packages; bug #555266)
- webcit <not-affected> (fixed since initial inclusion)
- zabbix <not-affected> (fixed since initial inclusion)
- chora2 <not-affected> (fixed since initial inclusion)
- gollem <not-affected> (fixed since initial inclusion)
- ingo1 <not-affected> (fixed since initial inclusion)
- kronolith2 <not-affected> (fixed since initial inclusion)
- jifty <not-affected> (fixed since initial inclusion)
- jquery <not-affected> (fixed since initial inclusion)
- passenger <not-affected> (fixed since initial inclusion)