Skip to main content

Exposure of Sensitive Information to an Unauthorized Actor

CVE-2007-2379

Severity Medium
Score 5.8/10

Summary

The jQuery framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking." The package maintainer disputes the validity of this vulnerability since it's expected language behavior. If JSONP is used in a browser, the vulnerability is not exploitable, but it's up to the consumer application to use protective measures and not up to jQuery to fix it.

  • LOW
  • NETWORK
  • NONE
  • CHANGED
  • NONE
  • NONE
  • LOW
  • NONE

CWE-200 - Information Exposure

An information exposure vulnerability is categorized as an information flow (IF) weakness, which can potentially allow unauthorized access to otherwise classified information in the application, such as confidential personal information (demographics, financials, health records, etc.), business secrets, and the application's internal environment.

Advisory Timeline

  • Published