CVE-2007-2385

Name	CVE-2007-2385
Description	The Yahoo! UI framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	557745, 557746, 557748

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
bcfg2 (PTS)	jessie	1.3.5-1+deb8u1	fixed
	stretch	1.4.0~pre2+git141-g6d40dace6358-1	fixed
	buster	1.4.0~pre2+git141-g6d40dace6358-2	fixed
loggerhead (PTS)	jessie	1.19~bzr479+dfsg-1	fixed
	bullseye	1.19~bzr511-1	fixed
	bookworm	2.0.1+bzr541+ds-2	fixed
	sid, trixie	2.0.1+bzr548-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Debian Bugs
bcfg2	source	(unstable)	(not affected)
jifty	source	(unstable)	0.91117-1	low	557748
loggerhead	source	(unstable)	(not affected)
moodle	source	(unstable)	(not affected)
serendipity	source	(unstable)	1.5.3-1	low	557746
webgui	source	(unstable)	(not affected)
yui	source	(unstable)	(unfixed)	unimportant	557745

Notes

- bcfg2 <not-affected> (present in source but not included in any binary files)
- moodle <not-affected> (uses system libjs-yui)
- webgui <not-affected> (uses system libjs-yui)
- loggerhead <not-affected> (uses system libjs-yui)
see https://web.archive.org/web/20071105202514/http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
This allows to steal data from affected websites. Therefore web applications should
only be considered vunerabile if they process confidential data.
The frameworks should be fixed in any case.