[Pkg-javascript-devel] Bug#557745: yui: CVE-2007-2385 javascript hijacking

Michael Gilbert michael.s.gilbert at gmail.com
Tue Nov 24 03:09:27 UTC 2009


Package: yui
Version: 2.7.0b-1
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for yui.

CVE-2007-2385[0]:
| The Yahoo! UI framework exchanges data using JavaScript Object
| Notation (JSON) without an associated protection scheme, which allows
| remote attackers to obtain the data via a web page that retrieves the
| data through a URL in the SRC attribute of a SCRIPT element and
| captures the data using other JavaScript code, aka "JavaScript
| Hijacking."

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2385
    http://security-tracker.debian.org/tracker/CVE-2007-2385





More information about the Pkg-javascript-devel mailing list