| Name | CVE-2007-2383 |
| Description | The Prototype (prototypejs) framework before 1.5.1 RC3 exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking." |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-1952-1 |
| Debian Bugs | 555217, 555220, 555221, 555225, 555228, 555229, 555231, 555232, 555234, 555235, 555237, 555240, 555246, 555248, 555250, 555255, 555268, 555274, 558977 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| asterisk (PTS) | jessie, jessie (lts) | 1:11.13.1~dfsg-2+deb8u8 | fixed |
| stretch (security) | 1:13.14.1~dfsg-2+deb9u6 | fixed | |
| stretch (lts), stretch | 1:13.14.1~dfsg-2+deb9u10 | fixed | |
| buster, buster (lts) | 1:16.28.0~dfsg-0+deb10u5 | fixed | |
| buster (security) | 1:16.28.0~dfsg-0+deb10u4 | fixed | |
| bullseye | 1:16.28.0~dfsg-0+deb11u4 | fixed | |
| bullseye (security) | 1:16.28.0~dfsg-0+deb11u5 | fixed | |
| sid | 1:22.0.0~dfsg+~cs6.14.60671435-1 | fixed | |
| auth2db (PTS) | jessie | 0.2.5-2+dfsg-5 | fixed |
| exaile (PTS) | jessie | 3.4.0.2-1 | fixed |
| sid, trixie | 4.1.3+dfsg-3 | fixed | |
| glpi (PTS) | jessie | 0.84.8+dfsg.1-1 | fixed |
| jscropperui (PTS) | jessie, buster, stretch | 1.2.2-1 | fixed |
| bullseye, bookworm | 1.2.2-1.1 | fixed | |
| sid, trixie | 1.2.2-2 | fixed | |
| libaws (PTS) | jessie | 3.2.0-3 | fixed |
| stretch | 3.3.2-2 | fixed | |
| buster | 19.0-2 | fixed | |
| bullseye | 20.2-2 | fixed | |
| libhtml-prototype-perl (PTS) | jessie | 1.48-4 | fixed |
| buster, stretch | 1.48-5 | fixed | |
| bullseye | 1.48-5.1 | fixed | |
| sid, trixie, bookworm | 1.48-6 | fixed | |
| lucene2 (PTS) | jessie | 2.9.4+ds1-4 | fixed |
| stretch | 2.9.4+ds1-6 | fixed | |
| otrs2 (PTS) | jessie, jessie (lts) | 3.3.18-1+deb8u15 | fixed |
| stretch/non-free (security), stretch/non-free (lts), stretch/non-free | 5.0.16-1+deb9u6 | fixed | |
| buster/non-free (security), buster/non-free | 6.0.16-2+deb10u1 | fixed | |
| bullseye/non-free | 6.0.32-6 | fixed | |
| prototypejs (PTS) | jessie, buster, stretch | 1.7.1-3 | fixed |
| bullseye | 1.7.1-3.1 | fixed | |
| sid, trixie, bookworm | 1.7.3-1 | fixed | |
| scriptaculous (PTS) | jessie, buster, stretch | 1.9.0-2 | fixed |
| bullseye | 1.9.0-2.1 | fixed | |
| bookworm | 1.9.0-3 | fixed | |
| sid, trixie | 1.9.0-4 | fixed | |
| symfony (PTS) | jessie, jessie (lts) | 2.3.21+dfsg-4+deb8u6 | fixed |
| stretch (security) | 2.8.7+dfsg-1.3+deb9u3 | fixed | |
| stretch (lts), stretch | 2.8.7+dfsg-1.3+deb9u5 | fixed | |
| buster (security), buster, buster (lts) | 3.4.22+dfsg-2+deb10u3 | fixed | |
| bullseye | 4.4.19+dfsg-2+deb11u6 | fixed | |
| bookworm | 5.4.23+dfsg-1+deb12u2 | fixed | |
| bookworm (security) | 5.4.23+dfsg-1+deb12u4 | fixed | |
| sid, trixie | 6.4.15+dfsg-1 | fixed | |
| webhelpers (PTS) | jessie, buster, stretch | 1.3-4 | fixed |
| wordpress (PTS) | jessie, jessie (lts) | 4.1.35+dfsg-0+deb8u1 | fixed |
| stretch (security), stretch (lts), stretch | 4.7.23+dfsg-0+deb9u1 | fixed | |
| buster (security), buster, buster (lts) | 5.0.21+dfsg1-0+deb10u1 | fixed | |
| bullseye (security), bullseye | 5.7.11+dfsg1-0+deb11u1 | fixed | |
| bookworm (security), bookworm | 6.1.6+dfsg1-0+deb12u1 | fixed | |
| sid, trixie | 6.6.1+dfsg1-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| activeldap | source | (unstable) | (not affected) | |||
| asterisk | source | lenny | 1:1.4.21.2~dfsg-3+lenny1 | DSA-1952-1 | ||
| asterisk | source | (unstable) | 1:1.6.2.0~rc3-1 | low | 555220 | |
| auth2db | source | (unstable) | 0.2.5-2+dfsg-1 | low | 555217 | |
| ebug-http | source | (unstable) | 0.31-2.1 | low | 555235 | |
| exaile | source | (unstable) | (not affected) | |||
| glpi | source | (unstable) | 0.72.3-1 | low | 555228 | |
| hobix | source | (unstable) | 0.5~svn20070319-4 | low | 555246 | |
| jscropperui | source | (unstable) | 1.2.1-1 | low | 555255 | |
| knowledgeroot | source | lenny | (not affected) | |||
| knowledgeroot | source | (unstable) | 0.9.9.5-1 | low | 555229 | |
| libaws | source | (unstable) | 2.7-1 | low | 555221 | |
| libhtml-prototype-perl | source | (unstable) | 1.48-3 | low | 558977 | |
| libjson-ruby | source | (unstable) | (not affected) | |||
| lucene2 | source | etch | (not affected) | |||
| lucene2 | source | (unstable) | 2.9.1+ds1-2 | low | 555225 | |
| mantis | source | (unstable) | (not affected) | |||
| mediatomb | source | (unstable) | 0.11.0-3 | low | 555232 | |
| mt-daapd | source | (unstable) | 0.9~r1696.dfsg-6 | low | 555231 | |
| op-panel | source | (unstable) | 0.30~dfsg-1 | low | 555234 | |
| otrs2 | source | (unstable) | (not affected) | |||
| pixelpost | source | (unstable) | 1.7.1-6 | low | 555248 | |
| plone3 | source | (unstable) | (unfixed) | low | 555274 | |
| poker-network | source | (unstable) | 1.7.6-1 | low | 555237 | |
| prototypejs | source | (unstable) | (not affected) | |||
| qwik | source | (unstable) | (unfixed) | low | 555240 | |
| rt-extension-emailcompletion | source | (unstable) | (not affected) | |||
| scriptaculous | source | (unstable) | (not affected) | |||
| symfony | source | (unstable) | 1.0.21-1.1 | low | 555250 | |
| webcalendar | source | lenny | (not affected) | |||
| webcalendar | source | (unstable) | 1.2~b1-2 | low | 555268 | |
| webhelpers | source | (unstable) | (not affected) | |||
| wesnoth | source | (unstable) | (not affected) | |||
| wordpress | source | (unstable) | (not affected) |
- prototypejs <not-affected> (fixed before initial upload)
[etch] - asterisk <no-dsa> (minor issue)
[lenny] - asterisk <no-dsa> (minor issue)
[etch] - libaws <no-dsa> (minor issue)
[lenny] - libaws <no-dsa> (minor issue)
- libjson-ruby <not-affected> (has prototype.js >= 1.5.1)
[etch] - lucene2 <not-affected> (prototype.js not present)
[lenny] - lucene2 <no-dsa> (minor issue)
[etch] - glpi <no-dsa> (minor issue)
[lenny] - glpi <no-dsa> (minor issue)
[etch] - knowledgeroot <no-dsa> (minor issue)
[lenny] - knowledgeroot <not-affected> (Uses the prototype.js copy from scriptaculous)
[etch] - mt-daapd <no-dsa> (minor issue)
[lenny] - ebug-http <no-dsa> (Minor issue)
[etch] - poker-network <no-dsa> (minor issue)
- webhelpers <not-affected> (fixed since initial inclusion)
[etch] - qwik <no-dsa> (minor issue)
[lenny] - qwik <no-dsa> (minor issue)
- wordpress <not-affected> (fixed since initial inclusion)
- exaile <not-affected> (fixed since initial inclusion)
[lenny] - hobix <no-dsa> (minor issue)
[lenny] - pixelpost <no-dsa> (minor issue)
[lenny] - symfony <no-dsa> (minor issue)
[lenny] - jscropperui <no-dsa> (minor issue)
- rt-extension-emailcompletion <not-affected> (fixed since initial inclusion)
- scriptaculous <not-affected> (fixed since initial inclusion)
- activeldap <not-affected> (fixed since initial inclusion)
- mantis <not-affected> (fixed since initial inclusion)
- otrs2 <not-affected> (fixed since initial inclusion)
[lenny] - webcalendar <not-affected> (prototype.js not present)
- wesnoth <not-affected> (fixed since initial inclusion)
[etch] - libhtml-prototype-perl <no-dsa> (minor issue)
[lenny] - libhtml-prototype-perl <no-dsa> (minor issue)
see http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
This allows to steal data from affected websites. Therefore web applications should
only be considered vunerabile if they process confidential data.
The frameworks should be fixed in any case.