CVE-2007-2383

2007-04-3000:00:00

ubuntu.com

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.01 Low

EPSS

Percentile

83.5%

JSON

The Prototype (prototypejs) framework before 1.5.1 RC3 exchanges data using
JavaScript Object Notation (JSON) without an associated protection scheme,
which allows remote attackers to obtain the data via a web page that
retrieves the data through a URL in the SRC attribute of a SCRIPT element
and captures the data using other JavaScript code, aka “JavaScript
Hijacking.”

Notes

Author	Note
jdstrand	This CVE is general class of attacks called Javascript Hijacking. It’s impact is largely dependent on how the developer a) uses the library, b) configures the library and c) interacts with the server. While the paper recommends defeating hijacking via both of two means, the CVE states that Prototype does not have “an associated protection scheme”. Prototype can be configured to use POST instead of GET, and with server side scripting (as proposed in the paper), can thwart the attack.

Author

Note

jdstrand

This CVE is general class of attacks called Javascript Hijacking. It’s impact is largely dependent on how the developer a) uses the library, b) configures the library and c) interacts with the server. While the paper recommends defeating hijacking via both of two means, the CVE states that Prototype does not have “an associated protection scheme”. Prototype can be configured to use POST instead of GET, and with server side scripting (as proposed in the paper), can thwart the attack.