| Vulnerability Name: | CVE-2007-2384 (CCN-34445) | ||||||||
| Assigned: | 2007-03-12 | ||||||||
| Published: | 2007-03-12 | ||||||||
| Updated: | 2008-11-13 | ||||||||
| Summary: | The Script.aculo.us framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking." | ||||||||
| CVSS v3 Severity: | 3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
| ||||||||
| CVSS v2 Severity: | 7.8 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N) 6.7 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N/E:POC/RL:U/RC:UR)
2.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:UR)
| ||||||||
| Vulnerability Type: | CWE-Other | ||||||||
| Vulnerability Consequences: | Obtain Information | ||||||||
| References: | Source: CCN Type: Microsoft Atlas Web site AJAX : The Official Microsoft ASP.NET AJAX Site Source: CCN Type: Google Web Toolkit Web site Google Web Toolkit - Build AJAX apps in the Java language Source: MITRE Type: CNA CVE-2007-2376 Source: MITRE Type: CNA CVE-2007-2377 Source: MITRE Type: CNA CVE-2007-2378 Source: MITRE Type: CNA CVE-2007-2379 Source: MITRE Type: CNA CVE-2007-2380 Source: MITRE Type: CNA CVE-2007-2381 Source: MITRE Type: CNA CVE-2007-2382 Source: MITRE Type: CNA CVE-2007-2383 Source: MITRE Type: CNA CVE-2007-2384 Source: MITRE Type: CNA CVE-2007-2385 Source: CCN Type: Yahoo! User Interface (YUI) Library Web site Yahoo! UI Library (YUI) Source: CCN Type: Dojo Web site The Dojo Toolkit | The JavaScript Toolkit Source: CCN Type: Direct Web Remoting Web site DWR - Easy Ajax for JAVA | Getahead Source: CCN Type: jQuery Web site jQuery: The Write Less, Do More, JavaScript Library Source: CCN Type: moo.fx Web site moo.fx - size does matter Source: OSVDB Type: UNKNOWN 43319 Source: CCN Type: script.aculo.us Web site script.aculo.us - web 2.0 javascript Source: DEBIAN Type: DSA-1952 asterisk -- several vulnerabilities Source: CCN Type: Fortify Software Whitepaper, March 12, 2007 JavaScript Hijacking Source: MISC Type: UNKNOWN http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf Source: CCN Type: MochiKit Web site MochiKit - A lightweight Javascript library Source: CCN Type: OSVDB ID: 43319 Script.aculo.us Framework JavaScript Object Notation (JSON) Crafted HTML Remote Data Disclosure Source: CCN Type: OSVDB ID: 43320 jQuery Framework JavaScript Object Notation (JSON) Crafted HTML Remote Data Disclosure Source: CCN Type: OSVDB ID: 43321 Google Web Toolkit (GWT) Framework JavaScript Object Notation (JSON) Crafted HTML Remote Data Disclosure Source: CCN Type: OSVDB ID: 43322 Direct Web Remoting (DWR) Framework JavaScript Object Notation (JSON) Crafted HTML Remote Data Disclosure Source: CCN Type: OSVDB ID: 43323 Dojo Framework JavaScript Object Notation (JSON) Crafted HTML Remote Data Disclosure Source: CCN Type: OSVDB ID: 43324 Yahoo! UI Framework JavaScript Object Notation (JSON) Crafted HTML Remote Data Disclosure Source: CCN Type: OSVDB ID: 43325 Microsoft Atlas Framework JavaScript Object Notation (JSON) Crafted HTML Remote Data Disclosure Source: CCN Type: OSVDB ID: 43326 MochiKit Framework JavaScript Object Notation (JSON) Crafted HTML Remote Data Disclosure Source: CCN Type: OSVDB ID: 43327 Moo.fx Framework JavaScript Object Notation (JSON) Crafted HTML Remote Data Disclosure Source: CCN Type: OSVDB ID: 43328 Prototype (prototypejs) Framework JavaScript Object Notation (JSON) Crafted HTML Remote Data Disclosure Source: CCN Type: Prototype JS Web site Prototype JavaScript framework: Easy Ajax and DOM manipulation for dynamic web applications Source: XF Type: UNKNOWN multiple-json-information-disclosure(34445) Source: SUSE Type: SUSE-SR:2009:004 SUSE Security Summary Report | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| BACK | |||||||||