CVE-2008-7220

NameCVE-2008-7220
DescriptionUnspecified vulnerability in Prototype JavaScript framework (prototypejs) before 1.6.0.2 allows attackers to make "cross-site ajax requests" via unknown vectors.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-1952-1
NVD severityhigh
Debian Bugs555217, 555220, 555221, 555223, 555225, 555228, 555229, 555231, 555232, 555234, 555235, 555237, 555239, 555240, 555242, 555244, 555246, 555248, 555250, 555255, 555259, 555263, 555266, 555268, 555274, 558977

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
asterisk (PTS)stretch (security), stretch1:13.14.1~dfsg-2+deb9u4fixed
buster1:16.2.1~dfsg-1+deb10u2fixed
sid1:16.15.0~dfsg-1fixed
jquery (PTS)stretch3.1.1-2+deb9u1fixed
buster3.3.1~dfsg-3fixed
jscropperui (PTS)bullseye, sid, buster, stretch1.2.2-1fixed
libaws (PTS)stretch3.3.2-2fixed
buster19.0-2fixed
bullseye, sid20.0-2fixed
libhtml-prototype-perl (PTS)bullseye, sid, buster, stretch1.48-5fixed
lucene2 (PTS)stretch2.9.4+ds1-6fixed
otrs2 (PTS)buster/non-free6.0.16-2fixed
bullseye/non-free6.0.30-1fixed
sid/non-free6.0.30-2fixed
stretch/non-free (security), stretch/non-free5.0.16-1+deb9u6fixed
passenger (PTS)stretch (security), stretch5.0.30-1+deb9u1fixed
buster5.0.30-1.1fixed
bullseye, sid5.0.30-1.2fixed
prototypejs (PTS)bullseye, sid, buster, stretch1.7.1-3fixed
scriptaculous (PTS)bullseye, sid, buster, stretch1.9.0-2fixed
symfony (PTS)stretch (security), stretch2.8.7+dfsg-1.3+deb9u3fixed
buster, buster (security)3.4.22+dfsg-2+deb10u1fixed
bullseye, sid4.4.14+dfsg-1fixed
webcit (PTS)stretch902-dfsg-4fixed
buster917-dfsg-2fixed
sid917-dfsg-5fixed
webhelpers (PTS)buster, stretch1.3-4fixed
wordpress (PTS)stretch4.7.5+dfsg-2+deb9u6fixed
stretch (security)4.7.19+dfsg-1+deb9u1fixed
buster5.0.10+dfsg1-0+deb10u1fixed
buster (security)5.0.11+dfsg1-0+deb10u1fixed
bullseye5.5.1+dfsg1-1fixed
sid5.5.3+dfsg1-1fixed
zabbix (PTS)stretch1:3.0.7+dfsg-3fixed
stretch (security)1:3.0.31+dfsg-0+deb9u1fixed
buster1:4.0.4+dfsg-1fixed
bullseye, sid1:5.0.5+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
activeldapsource(unstable)1.0.9-1unimportant555263
asterisksourceetch(unfixed)end-of-life
asterisksourcelenny1:1.4.21.2~dfsg-3+lenny1DSA-1952-1
asterisksource(unstable)1:1.6.2.0~rc3-1low555220
auth2dbsource(unstable)0.2.5-2+dfsg-1low555217
chora2source(unstable)(not affected)
ebug-httpsource(unstable)0.31-2.1low555235
exailesource(unstable)0.2.14+debian-2.2low555244
glpisource(unstable)0.72.3-1low555228
gollemsource(unstable)(not affected)
hobixsource(unstable)0.5~svn20070319-4low555246
ingo1source(unstable)(not affected)
jiftysource(unstable)(not affected)
jquerysource(unstable)(not affected)
jscropperuisource(unstable)1.2.1-1low555255
knowledgerootsourcelenny(not affected)
knowledgerootsource(unstable)0.9.9.5-1low555229
kronolith2source(unstable)(not affected)
libawssource(unstable)2.7-1low555221
libhtml-prototype-perlsource(unstable)1.48-3low558977
libjson-rubysourcelenny1.1.2-1+lenny1
libjson-rubysource(unstable)1.1.4-1low555223
lucene2sourceetch(not affected)
lucene2source(unstable)2.9.1+ds1-2unimportant555225
mediatombsource(unstable)0.12.0~svn2018-5low555232
mt-daapdsourceetch0.2.4+r1376-1.1+etch3
mt-daapdsource(unstable)0.9~r1696.dfsg-6low555231
op-panelsource(unstable)0.30~dfsg-1low555234
otrs2sourceetch(not affected)
otrs2sourcelenny(not affected)
otrs2source(unstable)2.3.4-6low555266
passengersource(unstable)(not affected)
pixelpostsource(unstable)1.7.1-6low555248
plone3source(unstable)(unfixed)low555274
poker-networksource(unstable)1.7.6-1low555237
prototypejssource(unstable)1.6.0.2-1
qwiksource(unstable)(unfixed)low555240
rt-extension-emailcompletionsource(unstable)(not affected)
scriptaculoussource(unstable)1.8.3-1low555259
symfonysource(unstable)1.0.21-1.1low555250
webcalendarsourcelenny(not affected)
webcalendarsource(unstable)1.2~b1-2low555268
webcitsource(unstable)(not affected)
webhelperssource(unstable)0.3.4-2low555239
wesnothsource(unstable)(not affected)
wordpresssourceetch(not affected)
wordpresssource(unstable)2.5.0-2low555242
zabbixsource(unstable)(not affected)

Notes

[etch] - asterisk <end-of-life> (Etch Packages no longer covered by security support)
[lenny] - asterisk <no-dsa> (Minor issue)
[etch] - libaws <no-dsa> (minor issue)
[lenny] - libaws <no-dsa> (minor issue)
[etch] - lucene2 <not-affected> (prototype.js not present)
prototype.js copy unused per #555225
[etch] - glpi <no-dsa> (minor issue)
[lenny] - glpi <no-dsa> (minor issue)
[etch] - knowledgeroot <no-dsa> (minor issue)
[lenny] - knowledgeroot <not-affected> (Vulnerable code not present)
[lenny] - mediatomb <no-dsa> (minor issue)
[lenny] - ebug-http <no-dsa> (Minor issue)
[etch] - poker-network <no-dsa> (minor issue)
[etch] - qwik <no-dsa> (minor issue)
[lenny] - qwik <no-dsa> (minor issue)
[etch] - wordpress <not-affected> (prototype.js not present)
[lenny] - exaile <no-dsa> (minor issue)
[lenny] - hobix <no-dsa> (minor issue)
[lenny] - pixelpost <no-dsa> (minor issue)
[lenny] - symfony <no-dsa> (minor issue)
[lenny] - jscropperui <no-dsa> (minor issue)
- rt-extension-emailcompletion <not-affected> (prototype.js not included in the binary package; bug #555258)
[lenny] - scriptaculous <no-dsa> (Minor issue)
Only shipped in an example
[etch] - otrs2 <not-affected> (prototype.js not present)
[lenny] - otrs2 <not-affected> (prototype.js not present)
[lenny] - webcalendar <not-affected> (prototype.js not present)
[etch] - libhtml-prototype-perl <no-dsa> (minor issue)
[lenny] - libhtml-prototype-perl <no-dsa> (minor issue)
- wesnoth <not-affected> (prototype.js not included in any of the binary packages; bug #555266)
- webcit <not-affected> (fixed since initial inclusion)
- zabbix <not-affected> (fixed since initial inclusion)
- chora2 <not-affected> (fixed since initial inclusion)
- gollem <not-affected> (fixed since initial inclusion)
- ingo1 <not-affected> (fixed since initial inclusion)
- kronolith2 <not-affected> (fixed since initial inclusion)
- jifty <not-affected> (fixed since initial inclusion)
- jquery <not-affected> (fixed since initial inclusion)
- passenger <not-affected> (fixed since initial inclusion)

Search for package or bug name: Reporting problems