Name | CVE-2008-7220 |
Description | Unspecified vulnerability in Prototype JavaScript framework (prototypejs) before 1.6.0.2 allows attackers to make "cross-site ajax requests" via unknown vectors. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DSA-1952-1 |
Debian Bugs | 555217, 555220, 555221, 555223, 555225, 555228, 555229, 555231, 555232, 555234, 555235, 555237, 555239, 555240, 555242, 555244, 555246, 555248, 555250, 555255, 555259, 555263, 555266, 555268, 555274, 558977 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
asterisk (PTS) | jessie, jessie (lts) | 1:11.13.1~dfsg-2+deb8u8 | fixed |
stretch (security) | 1:13.14.1~dfsg-2+deb9u6 | fixed | |
stretch (lts), stretch | 1:13.14.1~dfsg-2+deb9u10 | fixed | |
buster, buster (lts) | 1:16.28.0~dfsg-0+deb10u5 | fixed | |
buster (security) | 1:16.28.0~dfsg-0+deb10u4 | fixed | |
bullseye | 1:16.28.0~dfsg-0+deb11u4 | fixed | |
bullseye (security) | 1:16.28.0~dfsg-0+deb11u5 | fixed | |
sid | 1:22.1.0~dfsg+~cs6.14.60671435-1 | fixed | |
auth2db (PTS) | jessie | 0.2.5-2+dfsg-5 | fixed |
exaile (PTS) | jessie | 3.4.0.2-1 | fixed |
sid, trixie | 4.1.3+dfsg-4 | fixed | |
glpi (PTS) | jessie | 0.84.8+dfsg.1-1 | fixed |
jquery (PTS) | jessie, jessie (lts) | 1.7.2+dfsg-3.2+deb8u7 | fixed |
stretch (security), stretch (lts), stretch | 3.1.1-2+deb9u2 | fixed | |
buster | 3.3.1~dfsg-3+deb10u1 | fixed | |
jscropperui (PTS) | jessie, buster, stretch | 1.2.2-1 | fixed |
bullseye, bookworm | 1.2.2-1.1 | fixed | |
sid, trixie | 1.2.2-2 | fixed | |
libaws (PTS) | jessie | 3.2.0-3 | fixed |
stretch | 3.3.2-2 | fixed | |
buster | 19.0-2 | fixed | |
bullseye | 20.2-2 | fixed | |
libhtml-prototype-perl (PTS) | jessie | 1.48-4 | fixed |
buster, stretch | 1.48-5 | fixed | |
bullseye | 1.48-5.1 | fixed | |
sid, trixie, bookworm | 1.48-6 | fixed | |
lucene2 (PTS) | jessie | 2.9.4+ds1-4 | fixed |
stretch | 2.9.4+ds1-6 | fixed | |
otrs2 (PTS) | jessie, jessie (lts) | 3.3.18-1+deb8u15 | fixed |
stretch/non-free (security), stretch/non-free (lts), stretch/non-free | 5.0.16-1+deb9u6 | fixed | |
buster/non-free (security), buster/non-free | 6.0.16-2+deb10u1 | fixed | |
bullseye/non-free | 6.0.32-6 | fixed | |
passenger (PTS) | stretch (security), stretch (lts), stretch | 5.0.30-1+deb9u1 | fixed |
buster | 5.0.30-1.1 | fixed | |
bullseye | 5.0.30-1.2+deb11u1 | fixed | |
bookworm | 6.0.17+ds-1 | fixed | |
sid, trixie | 6.0.20+ds-1 | fixed | |
prototypejs (PTS) | jessie, buster, stretch | 1.7.1-3 | fixed |
bullseye | 1.7.1-3.1 | fixed | |
bookworm | 1.7.3-1 | fixed | |
sid, trixie | 1.7.3-2 | fixed | |
scriptaculous (PTS) | jessie, buster, stretch | 1.9.0-2 | fixed |
bullseye | 1.9.0-2.1 | fixed | |
bookworm | 1.9.0-3 | fixed | |
sid, trixie | 1.9.0-4 | fixed | |
symfony (PTS) | jessie, jessie (lts) | 2.3.21+dfsg-4+deb8u6 | fixed |
stretch (security) | 2.8.7+dfsg-1.3+deb9u3 | fixed | |
stretch (lts), stretch | 2.8.7+dfsg-1.3+deb9u5 | fixed | |
buster (security), buster, buster (lts) | 3.4.22+dfsg-2+deb10u3 | fixed | |
bullseye | 4.4.19+dfsg-2+deb11u6 | fixed | |
bookworm | 5.4.23+dfsg-1+deb12u2 | fixed | |
bookworm (security) | 5.4.23+dfsg-1+deb12u4 | fixed | |
sid, trixie | 6.4.16+dfsg-1 | fixed | |
webcit (PTS) | jessie | 8.24-dfsg-1 | fixed |
stretch | 902-dfsg-4 | fixed | |
buster | 917-dfsg-2 | fixed | |
webhelpers (PTS) | jessie, buster, stretch | 1.3-4 | fixed |
wordpress (PTS) | jessie, jessie (lts) | 4.1.35+dfsg-0+deb8u1 | fixed |
stretch (security), stretch (lts), stretch | 4.7.23+dfsg-0+deb9u1 | fixed | |
buster (security), buster, buster (lts) | 5.0.21+dfsg1-0+deb10u1 | fixed | |
bullseye (security), bullseye | 5.7.11+dfsg1-0+deb11u1 | fixed | |
bookworm (security), bookworm | 6.1.6+dfsg1-0+deb12u1 | fixed | |
sid, trixie | 6.6.1+dfsg1-1 | fixed | |
zabbix (PTS) | jessie, jessie (lts) | 1:2.2.23+dfsg-0+deb8u9 | fixed |
stretch (security) | 1:3.0.32+dfsg-0+deb9u3 | fixed | |
stretch (lts), stretch | 1:3.0.32+dfsg-0+deb9u8 | fixed | |
buster (security), buster, buster (lts) | 1:4.0.4+dfsg-1+deb10u5 | fixed | |
bullseye | 1:5.0.8+dfsg-1 | fixed | |
bullseye (security) | 1:5.0.45+dfsg-1+deb11u1 | fixed | |
bookworm | 1:6.0.14+dfsg-1 | fixed | |
sid, trixie | 1:7.0.6+dfsg-1 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
activeldap | source | (unstable) | 1.0.9-1 | unimportant | 555263 | |
asterisk | source | etch | (unfixed) | end-of-life | ||
asterisk | source | lenny | 1:1.4.21.2~dfsg-3+lenny1 | DSA-1952-1 | ||
asterisk | source | (unstable) | 1:1.6.2.0~rc3-1 | low | 555220 | |
auth2db | source | (unstable) | 0.2.5-2+dfsg-1 | low | 555217 | |
chora2 | source | (unstable) | (not affected) | |||
ebug-http | source | (unstable) | 0.31-2.1 | low | 555235 | |
exaile | source | (unstable) | 0.2.14+debian-2.2 | low | 555244 | |
glpi | source | (unstable) | 0.72.3-1 | low | 555228 | |
gollem | source | (unstable) | (not affected) | |||
hobix | source | (unstable) | 0.5~svn20070319-4 | low | 555246 | |
ingo1 | source | (unstable) | (not affected) | |||
jifty | source | (unstable) | (not affected) | |||
jquery | source | (unstable) | (not affected) | |||
jscropperui | source | (unstable) | 1.2.1-1 | low | 555255 | |
knowledgeroot | source | lenny | (not affected) | |||
knowledgeroot | source | (unstable) | 0.9.9.5-1 | low | 555229 | |
kronolith2 | source | (unstable) | (not affected) | |||
libaws | source | (unstable) | 2.7-1 | low | 555221 | |
libhtml-prototype-perl | source | (unstable) | 1.48-3 | low | 558977 | |
libjson-ruby | source | lenny | 1.1.2-1+lenny1 | |||
libjson-ruby | source | (unstable) | 1.1.4-1 | low | 555223 | |
lucene2 | source | etch | (not affected) | |||
lucene2 | source | (unstable) | 2.9.1+ds1-2 | unimportant | 555225 | |
mediatomb | source | (unstable) | 0.12.0~svn2018-5 | low | 555232 | |
mt-daapd | source | etch | 0.2.4+r1376-1.1+etch3 | |||
mt-daapd | source | (unstable) | 0.9~r1696.dfsg-6 | low | 555231 | |
op-panel | source | (unstable) | 0.30~dfsg-1 | low | 555234 | |
otrs2 | source | etch | (not affected) | |||
otrs2 | source | lenny | (not affected) | |||
otrs2 | source | (unstable) | 2.3.4-6 | low | 555266 | |
passenger | source | (unstable) | (not affected) | |||
pixelpost | source | (unstable) | 1.7.1-6 | low | 555248 | |
plone3 | source | (unstable) | (unfixed) | low | 555274 | |
poker-network | source | (unstable) | 1.7.6-1 | low | 555237 | |
prototypejs | source | (unstable) | 1.6.0.2-1 | |||
qwik | source | (unstable) | (unfixed) | low | 555240 | |
rt-extension-emailcompletion | source | (unstable) | (not affected) | |||
scriptaculous | source | (unstable) | 1.8.3-1 | low | 555259 | |
symfony | source | (unstable) | 1.0.21-1.1 | low | 555250 | |
webcalendar | source | lenny | (not affected) | |||
webcalendar | source | (unstable) | 1.2~b1-2 | low | 555268 | |
webcit | source | (unstable) | (not affected) | |||
webhelpers | source | (unstable) | 0.3.4-2 | low | 555239 | |
wesnoth | source | (unstable) | (not affected) | |||
wordpress | source | etch | (not affected) | |||
wordpress | source | (unstable) | 2.5.0-2 | low | 555242 | |
zabbix | source | (unstable) | (not affected) |
[etch] - asterisk <end-of-life> (Etch Packages no longer covered by security support)
[lenny] - asterisk <no-dsa> (Minor issue)
[etch] - libaws <no-dsa> (minor issue)
[lenny] - libaws <no-dsa> (minor issue)
[etch] - lucene2 <not-affected> (prototype.js not present)
prototype.js copy unused per #555225
[etch] - glpi <no-dsa> (minor issue)
[lenny] - glpi <no-dsa> (minor issue)
[etch] - knowledgeroot <no-dsa> (minor issue)
[lenny] - knowledgeroot <not-affected> (Vulnerable code not present)
[lenny] - mediatomb <no-dsa> (minor issue)
[lenny] - ebug-http <no-dsa> (Minor issue)
[etch] - poker-network <no-dsa> (minor issue)
[etch] - qwik <no-dsa> (minor issue)
[lenny] - qwik <no-dsa> (minor issue)
[etch] - wordpress <not-affected> (prototype.js not present)
[lenny] - exaile <no-dsa> (minor issue)
[lenny] - hobix <no-dsa> (minor issue)
[lenny] - pixelpost <no-dsa> (minor issue)
[lenny] - symfony <no-dsa> (minor issue)
[lenny] - jscropperui <no-dsa> (minor issue)
- rt-extension-emailcompletion <not-affected> (prototype.js not included in the binary package; bug #555258)
[lenny] - scriptaculous <no-dsa> (Minor issue)
Only shipped in an example
[etch] - otrs2 <not-affected> (prototype.js not present)
[lenny] - otrs2 <not-affected> (prototype.js not present)
[lenny] - webcalendar <not-affected> (prototype.js not present)
[etch] - libhtml-prototype-perl <no-dsa> (minor issue)
[lenny] - libhtml-prototype-perl <no-dsa> (minor issue)
- wesnoth <not-affected> (prototype.js not included in any of the binary packages; bug #555266)
- webcit <not-affected> (fixed since initial inclusion)
- zabbix <not-affected> (fixed since initial inclusion)
- chora2 <not-affected> (fixed since initial inclusion)
- gollem <not-affected> (fixed since initial inclusion)
- ingo1 <not-affected> (fixed since initial inclusion)
- kronolith2 <not-affected> (fixed since initial inclusion)
- jifty <not-affected> (fixed since initial inclusion)
- jquery <not-affected> (fixed since initial inclusion)
- passenger <not-affected> (fixed since initial inclusion)