Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1091?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1091?format=api", "purl": "pkg:mozilla/Firefox@3.0.5", "type": "mozilla", "namespace": "", "name": "Firefox", "version": "3.0.5", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "3.0.6", "latest_non_vulnerable_version": "151.0.0", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2456?format=api", "vulnerability_id": "VCID-1r73-v4h5-7kc5", "summary": "Google security researcher Chris Evans reported that a\nwebsite could access a limited amount of data from a different domain by\nloading a same-domain JavaScript URL which redirects to an off-domain\ntarget resource containing data\nwhich is not parsable as JavaScript. Upon attempting to load the data as\nJavaScript a syntax error is generated that can reveal some of the file\ncontext via the window.onerror DOM API.This issue could be used by a malicious website to steal private data\nfrom users who are authenticated on the redirected website. How much\ndata could be at risk would depend on the format of the data and how\nthe JavaScript parser attempts to interpret it. For most files the\namount of data that can be recovered would be limited to the first\nword or two. Some data files might allow deeper probing with\nrepeated loads.Thunderbird shares the browser engine with Firefox and\ncould be vulnerable if JavaScript were to be enabled in mail. This is\nnot the default setting and we strongly discourage users from running\nJavaScript in mail.Update December 18, 2008: The Windows version of Firefox\n2.0.0.19 was shipped without the fix for this issue (other platforms\nwere correctly patched). Firefox 2.0.0.20 has been released on Windows\nto correct this oversight.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5507", "reference_id": "CVE-2008-5507", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5507" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2008-65", "reference_id": "mfsa2008-65", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2008-65" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1091?format=api", "purl": "pkg:mozilla/Firefox@3.0.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.0.5" } ], "aliases": [ "CVE-2008-5507" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1r73-v4h5-7kc5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2448?format=api", "vulnerability_id": "VCID-2px9-hc1z-3qca", "summary": "Mozilla developers identified and fixed several stability bugs in the browser\nengine used in Firefox and other Mozilla-based products. Some of these crashes\nshowed evidence of memory corruption under certain circumstances and we presume\nthat with enough effort at least some of these could be exploited to run\narbitrary code.Thunderbird shares the browser engine with Firefox and could be\nvulnerable if JavaScript were to be enabled in mail. This is not the default\nsetting and we strongly discourage users from running JavaScript in\nmail. Without further investigation we cannot rule out the possibility that for\nsome of these an attacker might be able to prepare memory for exploitation\nthrough some means other than JavaScript such as large images.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5500", "reference_id": "CVE-2008-5500", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5500" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2008-60", "reference_id": "mfsa2008-60", "reference_type": "", "scores": [ { "value": "critical", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2008-60" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1091?format=api", "purl": "pkg:mozilla/Firefox@3.0.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.0.5" } ], "aliases": [ "CVE-2008-5500" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2px9-hc1z-3qca" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2481?format=api", "vulnerability_id": "VCID-6hd5-6f4p-akb4", "summary": "Perl developer Chip Salzenberg reported that\ncertain control characters, when placed at the beginning of a URL,\nwould lead to incorrect parsing resulting in a malformed URL being\noutput by the parser. IBM researchers Justin Schuh,\nTom Cross, and Peter William also\nreported a related symptom as part of their research that resulted in\nMFSA 2008-37.\n\nThere was no direct security impact from this issue and its effect\nwas limited to the improper rendering of hyperlinks containing\nspecific characters. The severity of this issue was determined to be\nlow.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5508", "reference_id": "CVE-2008-5508", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5508" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2008-66", "reference_id": "mfsa2008-66", "reference_type": "", "scores": [ { "value": "low", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2008-66" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1091?format=api", "purl": "pkg:mozilla/Firefox@3.0.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.0.5" } ], "aliases": [ "CVE-2008-5508" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6hd5-6f4p-akb4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2491?format=api", "vulnerability_id": "VCID-gf5k-p1zj-kkam", "summary": "Marius Schilder of Google Security reported that\nwhen a XMLHttpRequest is made to a same-origin resource\nwhich 302 redirects to a resource in a different domain, the response\nfrom the cross-domain resource is readable by the site issuing the\nXHR. Cookies marked HttpOnly were not readable, but\nother potentially sensitive data could be revealed in the XHR response\nincluding URL parameters and content in the response body.Thunderbird shares the browser engine with Firefox and\ncould be vulnerable if JavaScript were to be enabled in mail. This is\nnot the default setting and we strongly discourage users from running\nJavaScript in mail.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5506", "reference_id": "CVE-2008-5506", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5506" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2008-64", "reference_id": "mfsa2008-64", "reference_type": "", "scores": [ { "value": "none", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2008-64" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1091?format=api", "purl": "pkg:mozilla/Firefox@3.0.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.0.5" } ], "aliases": [ "CVE-2008-5506" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gf5k-p1zj-kkam" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2467?format=api", "vulnerability_id": "VCID-hsqv-k32f-eqbv", "summary": "Mozilla security researcher moz_bug_r_a4 reported\nthat an XBL binding, when attached to an unloaded document, can be\nused to violate the same-origin policy and execute arbitrary\nJavaScript within the context of a different website.moz_bug_r_a4 also reported two vulnerabilities by which page\ncontent can pollute XPCNativeWrappers and run arbitrary JavaScript with\nchrome privileges.Thunderbird shares the browser engine with Firefox and\ncould be vulnerable if JavaScript were to be enabled in mail. This is not\nthe default setting and we strongly discourage users from running\nJavaScript in mail.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5511", "reference_id": "CVE-2008-5511", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5511" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2008-68", "reference_id": "mfsa2008-68", "reference_type": "", "scores": [ { "value": "critical", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2008-68" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1091?format=api", "purl": "pkg:mozilla/Firefox@3.0.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.0.5" } ], "aliases": [ "CVE-2008-5511" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hsqv-k32f-eqbv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2480?format=api", "vulnerability_id": "VCID-hwk2-xetj-kke7", "summary": "Mozilla security researcher moz_bug_r_a4 reported\nvulnerabilities in the session-restore feature by which content could be\ninjected into an incorrect document storage location, including\nstorage locations for other domains. An attacker could utilize these\nissues to violate the browser's same-origin policy and perform an XSS\nattack while SessionStore data is being restored.moz_bug_r_a4 also reported that one variant could be used by an\nattacker to run arbitrary JavaScript with chrome privileges.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5513", "reference_id": "CVE-2008-5513", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5513" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2008-69", "reference_id": "mfsa2008-69", "reference_type": "", "scores": [ { "value": "critical", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2008-69" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1091?format=api", "purl": "pkg:mozilla/Firefox@3.0.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.0.5" } ], "aliases": [ "CVE-2008-5513" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hwk2-xetj-kke7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2475?format=api", "vulnerability_id": "VCID-kzs1-hx2t-y7da", "summary": "Security researcher Hish reported that\nthe persist attribute in XUL elements can be used to\nstore cookie-like information on a user's computer which could later\nbe read by a website. This creates a privacy issue for users who have\na non-standard cookie preference and wish to prevent sites from\nsetting cookies on their machine. Even with cookies turned off, this\nissue could be used by a website to write persistent data in a user's\nbrowser and track the user across browsing sessions. Additionally,\nthis issue could allow a website to bypass the limits normally placed\non cookie size and number.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5505", "reference_id": "CVE-2008-5505", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5505" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2008-63", "reference_id": "mfsa2008-63", "reference_type": "", "scores": [ { "value": "low", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2008-63" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1091?format=api", "purl": "pkg:mozilla/Firefox@3.0.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.0.5" } ], "aliases": [ "CVE-2008-5505" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kzs1-hx2t-y7da" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2422?format=api", "vulnerability_id": "VCID-vuz7-kx9u-vye9", "summary": "Kojima Hajime reported that unlike literal null\ncharacters which were handled correctly, the escaped form '\\0'\nwas ignored by the CSS parser and treated as if it was not present in\nthe CSS input string. This issue could potentially be used to bypass\nscript sanitization routines in web applications. The severity of\nthis issue was determined to be low.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5510", "reference_id": "CVE-2008-5510", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5510" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2008-67", "reference_id": "mfsa2008-67", "reference_type": "", "scores": [ { "value": "low", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2008-67" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1091?format=api", "purl": "pkg:mozilla/Firefox@3.0.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.0.5" } ], "aliases": [ "CVE-2008-5510" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vuz7-kx9u-vye9" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.0.5" }