Lucene search
Ubuntu.comUB:CVE-2007-2384HistoryApr 30, 2007 - 12:00 a.m.
CVE-2007-2384
2007-04-3000:00:00
ubuntu.com
ubuntu.com
12
7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:C/I:N/A:N
0.004 Low
EPSS
Percentile
73.9%
The Script.aculo.us framework exchanges data using JavaScript Object
Notation (JSON) without an associated protection scheme, which allows
remote attackers to obtain the data via a web page that retrieves the data
through a URL in the SRC attribute of a SCRIPT element and captures the
data using other JavaScript code, aka “JavaScript Hijacking.”
Notes
| Author | Note |
|---|---|
| jdstrand | This CVE is general class of attacks called Javascript Hijacking. It’s impact is largely dependent on how the developer a) uses the library, b) configures the library and c) interacts with the server. While the paper recommends defeating hijacking via both of two means, the CVE states that Scriptaculous does not have “an associated protection scheme”. Scriptaculous can be configured to use POST instead of GET, and with server side scripting (as proposed in the paper), can thwart the attack. |
Related
prion
prion
Design/Logic Flaw
2007-04-30 23:19:00
cvelist
cvelist
CVE-2007-2384
2007-04-30 23:00:00
cve
cve
CVE-2007-2384
2007-04-30 23:19:00
nvd
nvd
CVE-2007-2384
2007-04-30 23:19:00
7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:C/I:N/A:N
0.004 Low
EPSS
Percentile
73.9%
Related for UB:CVE-2007-2384