Vulnerability Name:

CVE-2008-7220 (CCN-53652)

Assigned:2009-08-24
Published:2009-08-24
Updated:2021-07-27
Summary:Unspecified vulnerability in Prototype JavaScript framework (prototypejs) before 1.6.0.2 allows attackers to make "cross-site ajax requests" via unknown vectors.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-noinfo
Vulnerability Consequences:Other
References:Source: MITRE
Type: CNA
CVE-2008-7220

Source: CCN
Type: AST-2009-009
Cross-site AJAX request vulnerability

Source: CCN
Type: GitHub Web site
CHANGELOG at master from sstephenson's prototype

Source: CONFIRM
Type: Release Notes, Third Party Advisory
http://github.com/sstephenson/prototype/blob/master/CHANGELOG

Source: OSVDB
Type: Broken Link
46312

Source: MISC
Type: Third Party Advisory, VDB Entry
http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html

Source: CCN
Type: RedHat Fedora Project Web page
python-webhelpers

Source: FULLDISC
Type: Mailing List, Third Party Advisory
20190510 dotCMS v5.1.1 Vulnerabilities

Source: FULLDISC
Type: Mailing List, Third Party Advisory
20190510 dotCMS v5.1.1 HTML Injection & XSS Vulnerability

Source: FULLDISC
Type: Mailing List, Third Party Advisory
20190510 Re: dotCMS v5.1.1 HTML Injection & XSS Vulnerability

Source: SECUNIA
Type: Third Party Advisory
37479

Source: SECUNIA
Type: Third Party Advisory
37677

Source: CCN
Type: WordPress Web site
WordPress

Source: DEBIAN
Type: Third Party Advisory
DSA-1952

Source: DEBIAN
Type: DSA-1952
asterisk -- several vulnerabilities

Source: CCN
Type: FreshPorts Web site
MediaTomb

Source: CCN
Type: GLSA-201006-20
Asterisk: Multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 2004262 (Sterling B2B Integrator)
JavaScript vulnerability affects IBM Sterling B2B Integrator (CVE-2008-7220)

Source: MLIST
Type: Mailing List, Third Party Advisory
[oss-security] 20091107 Re: CVE Request - Asterisk (AST-2009-008.html)

Source: CCN
Type: OSVDB ID: 46312
Prototype JavaScript Framework prototype.js Cross-site Ajax Request Unspecified Issue

Source: CCN
Type: BID-36926
Prototype JavaScript Framework Cross-Site Ajax Request Vulnerability

Source: CCN
Type: Red Hat Bugzilla Bug 523277
CVE-2008-7220 WordPress, MediaTomb, python-webhelpers, Asterisk, Plone -- embedded Prototype JavaScript FrameWork: XSS Ajax requests (AST-2009-009)

Source: CONFIRM
Type: Issue Tracking, Patch, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=523277

Source: CONFIRM
Type: Issue Tracking, Not Applicable, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=533137

Source: XF
Type: UNKNOWN
prototypejs-ajax-unspecified(53652)

Source: CCN
Type: The Apache Software Foundation Web site
Tapestry

Source: CCN
Type: Mantis Group Asterisk BugID 0016139
CVE-2008-7220: static-http/prototype.js is vulnerable to "cross-site ajax requests"

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-issues] 20191112 [jira] [Created] (ZOOKEEPER-3612) CLONE - Update lib prototype.js: 1.4.0_pre4 due to security vulnerability

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-issues] 20191107 [jira] [Created] (ZOOKEEPER-3610) Update lib prototype.js: 1.4.0_pre4 due to security vulnerability

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-dev] 20191112 [jira] [Created] (ZOOKEEPER-3612) CLONE - Update lib prototype.js: 1.4.0_pre4 due to security vulnerability

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-dev] 20191107 [jira] [Created] (ZOOKEEPER-3610) Update lib prototype.js: 1.4.0_pre4 due to security vulnerability

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-notifications] 20190710 [GitHub] [zookeeper] phunt opened a new pull request #1013: ZOOKEEPER-3441: OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814

Source: BUGTRAQ
Type: Issue Tracking, Mailing List, Third Party Advisory
20190509 dotCMS v5.1.1 Vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6570557 (Sterling B2B Integrator)
IBM Sterling B2B Integrator vulnerable to cross-site Ajax request vulnerability due to Prototype JavaScript (CVE-2008-7220)

Source: FEDORA
Type: Broken Link
FEDORA-2009-11070

Source: FEDORA
Type: Broken Link
FEDORA-2009-11126

Vulnerable Configuration:Configuration 1:
  • cpe:/a:prototypejs:prototype:*:*:*:*:*:*:*:* (Version < 1.6.0.2)

    • Configuration 2:
  • cpe:/o:debian:debian_linux:5.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:6.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:prototypejs:prototype_javascript_framework:1.6.0.1:rc1:*:*:*:*:*:*
  • OR cpe:/a:prototypejs:prototype_javascript_framework:1.6.0.1:rc0:*:*:*:*:*:*
  • OR cpe:/a:prototypejs:prototype_javascript_framework:1.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:prototypejs:prototype_javascript_framework:1.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:prototypejs:prototype_javascript_framework:1.5.0:rc2:*:*:*:*:*:*
  • OR cpe:/a:prototypejs:prototype_javascript_framework:1.5.0:rc0:*:*:*:*:*:*
  • OR cpe:/a:prototypejs:prototype_javascript_framework:1.5.0:pre1:*:*:*:*:*:*
  • OR cpe:/a:prototypejs:prototype_javascript_framework:1.5.0:pre0:*:*:*:*:*:*
  • OR cpe:/a:prototypejs:prototype_javascript_framework:1.6.0.1:*:*:*:*:*:*:*
  • AND
  • cpe:/o:gentoo:linux:-:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:fedora:10:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:5.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:5.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:5.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:5.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:5.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:5.2.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:5.2.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.1.0.0:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.1.1.0:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.0.3.5:*:*:*:standard:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:6950
    P
    		DSA-1952 asterisk -- several vulnerabilities, end-of-life announcement in oldstable
    2015-02-23
    oval:org.mitre.oval:def:13727
    P
    		DSA-1952-1 asterisk -- several vulnerabilities
    2015-02-23
    oval:org.debian:def:1952
    V
    		several vulnerabilities, end-of-life announcement in oldstable
    2009-12-15
    BACK
    prototypejs prototype *
    debian debian linux 5.0
    debian debian linux 6.0
    prototypejs prototype javascript framework 1.6.0.1 rc1
    prototypejs prototype javascript framework 1.6.0.1 rc0
    prototypejs prototype javascript framework 1.5.1
    prototypejs prototype javascript framework 1.5.0
    prototypejs prototype javascript framework 1.5.0 rc2
    prototypejs prototype javascript framework 1.5.0 rc0
    prototypejs prototype javascript framework 1.5.0 pre1
    prototypejs prototype javascript framework 1.5.0 pre0
    prototypejs prototype javascript framework 1.6.0.1
    gentoo linux -
    redhat fedora 10
    debian debian linux 5.0
    ibm sterling b2b integrator 5.2
    ibm sterling b2b integrator 5.2.4
    ibm sterling b2b integrator 5.2.1
    ibm sterling b2b integrator 5.2.2
    ibm sterling b2b integrator 5.2.3
    ibm sterling b2b integrator 5.2.5
    ibm sterling b2b integrator 5.2.6
    ibm sterling b2b integrator 6.0.0.0
    ibm sterling b2b integrator 6.1.0.0
    ibm sterling b2b integrator 6.1.1.0
    ibm sterling b2b integrator 6.0.3.5