Exposure of Sensitive Information to an Unauthorized Actor
CVE-2007-2379
Summary
The jQuery framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking." The package maintainer disputes the validity of this vulnerability since it's expected language behavior. If JSONP is used in a browser, the vulnerability is not exploitable, but it's up to the consumer application to use protective measures and not up to jQuery to fix it.
- LOW
- NETWORK
- NONE
- CHANGED
- NONE
- NONE
- LOW
- NONE
CWE-200 - Information Exposure
An information exposure vulnerability is categorized as an information flow (IF) weakness, which can potentially allow unauthorized access to otherwise classified information in the application, such as confidential personal information (demographics, financials, health records, etc.), business secrets, and the application's internal environment.
Advisory Timeline
- Published