Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1113?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1113?format=api", "purl": "pkg:mozilla/Firefox@3.0.9", "type": "mozilla", "namespace": "", "name": "Firefox", "version": "3.0.9", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "3.0.10", "latest_non_vulnerable_version": "151.0.0", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2681?format=api", "vulnerability_id": "VCID-615z-2kke-63cz", "summary": "Bjoern Hoehrmann and security researcher Moxie\nMarlinspike independently reported\nthat Unicode box drawing characters were allowed in Internationalized\nDomain Names (IDN) where they could be visually confused with\npunctuation used in valid web addresses. This could be combined with\na phishing-type scam to trick a victim into thinking they were on a\ndifferent website than they actually were.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0652", "reference_id": "CVE-2009-0652", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0652" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2009-15", "reference_id": "mfsa2009-15", "reference_type": "", "scores": [ { "value": "low", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2009-15" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1113?format=api", "purl": "pkg:mozilla/Firefox@3.0.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.0.9" } ], "aliases": [ "CVE-2009-0652" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-615z-2kke-63cz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2669?format=api", "vulnerability_id": "VCID-9kfx-ukhq-hbee", "summary": "Web developer Cefn Hoile reported that sites which\nallow users to embed third-party stylesheets are vulnerable to script\ninjection attacks using XBL bindings. While this behavior was\ndocumented previously, it was determined that this particular risk was\nnot well-understood by some websites. To mitigate this risk Mozilla\nadded a restriction that requires XBL bindings to come from the same\norigin as the bound document.Thunderbird shares the browser engine with Firefox and\ncould be vulnerable if JavaScript were to be enabled in mail. This is\nnot the default setting and we strongly discourage users from running\nJavaScript in mail.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1308", "reference_id": "CVE-2009-1308", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1308" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2009-18", "reference_id": "mfsa2009-18", "reference_type": "", "scores": [ { "value": "low", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2009-18" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1113?format=api", "purl": "pkg:mozilla/Firefox@3.0.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.0.9" } ], "aliases": [ "CVE-2009-1308" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9kfx-ukhq-hbee" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2687?format=api", "vulnerability_id": "VCID-9stf-3cns-4fcz", "summary": "Security researcher Gregory Fleischer reported\nthat when an Adobe Flash file is loaded via\nthe view-source: scheme, the Flash plugin misinterprets\nthe origin of the content as localhost, leading to two specific\nvulnerabilities:", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1307", "reference_id": "CVE-2009-1307", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1307" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2009-17", "reference_id": "mfsa2009-17", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2009-17" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1113?format=api", "purl": "pkg:mozilla/Firefox@3.0.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.0.9" } ], "aliases": [ "CVE-2009-1307" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9stf-3cns-4fcz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2686?format=api", "vulnerability_id": "VCID-eb9z-2ahu-bff8", "summary": "Mozilla security researcher moz_bug_r_a4 reported\nthat it is possible to create a document whose URI does not match the\ndocument's principal using XMLHttpRequest. This type of\nmismatch leads to incorrect results in principal-based security\nchecks. An attacker could use this vulnerability to execute arbitrary\nJavaScript within the context of another site.moz_bug_r_a4 separately reported\nthat XPCNativeWrapper.toString's\n__proto__ comes from the wrong scope which results in\ncalls to that function being executed in the wrong context in certain\ncircumstances. An attacker could use this vulnerability to run\narbitrary code within the context of a different site. Alternatively,\nif chrome were to call content.toString.call(), then\nattacker-defined functions could be run with chrome privileges.Thunderbird shares the browser engine with Firefox and\ncould be vulnerable if JavaScript were to be enabled in mail. This is\nnot the default setting and we strongly discourage users from running\nJavaScript in mail.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1309", "reference_id": "CVE-2009-1309", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1309" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2009-19", "reference_id": "mfsa2009-19", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2009-19" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1113?format=api", "purl": "pkg:mozilla/Firefox@3.0.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.0.9" } ], "aliases": [ "CVE-2009-1309" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-eb9z-2ahu-bff8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2676?format=api", "vulnerability_id": "VCID-swau-cddy-1kdm", "summary": "Mozilla developers identified and fixed several stability bugs in\nthe browser engine used in Firefox and other Mozilla-based\nproducts. Some of these crashes showed evidence of memory corruption\nunder certain circumstances and we presume that with enough effort at\nleast some of these could be exploited to run arbitrary code.Thunderbird shares the browser engine with Firefox and\ncould be vulnerable if JavaScript were to be enabled in mail. This is\nnot the default setting and we strongly discourage users from running\nJavaScript in mail. Without further investigation we cannot rule out\nthe possibility that for some of these an attacker might be able to\nprepare memory for exploitation through some means other than\nJavaScript such as large images.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1302", "reference_id": "CVE-2009-1302", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1302" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2009-14", "reference_id": "mfsa2009-14", "reference_type": "", "scores": [ { "value": "critical", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2009-14" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1113?format=api", "purl": "pkg:mozilla/Firefox@3.0.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.0.9" } ], "aliases": [ "CVE-2009-1302" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-swau-cddy-1kdm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2597?format=api", "vulnerability_id": "VCID-ufrj-d9va-hbbg", "summary": "Mozilla developer Daniel Veditz reported that when\nthe jar: scheme is used to wrap a URI which serves the\ncontent with Content-Disposition: attachment, the HTTP\nheader is ignored and the content is unpacked and displayed inline. A\nsite may depend on this HTTP header to prevent potentially untrusted\ncontent that it serves from executing within the context of the site.\nAn attacker could use this vulnerability to subvert sites using this\nmechanism to mitigate content injection attacks.This vulnerability has not been fixed on the Mozilla 1.8.1 branch,\nwhich is used to build Firefox 2 and Thunderbird 2. However, note\nthat there are several mitigating factors which prevent easy\nexploitation of this issue. In order for a website to be exploitable\nit must:", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1306", "reference_id": "CVE-2009-1306", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1306" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2009-16", "reference_id": "mfsa2009-16", "reference_type": "", "scores": [ { "value": "none", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2009-16" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1113?format=api", "purl": "pkg:mozilla/Firefox@3.0.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.0.9" } ], "aliases": [ "CVE-2009-1306" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ufrj-d9va-hbbg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2663?format=api", "vulnerability_id": "VCID-y9mx-my5e-6qbp", "summary": "Developer and Mozilla community member Paolo\nAmadini reported that when saving the inner frame of a web\npage as a file when the outer page has POST data associated with it,\nthe POST data will be incorrectly sent to the URL of the inner frame.\nThis could potentially result in a user's sensitive data being sent to\na site for which it was not intended.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1311", "reference_id": "CVE-2009-1311", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1311" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2009-21", "reference_id": "mfsa2009-21", "reference_type": "", "scores": [ { "value": "low", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2009-21" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1113?format=api", "purl": "pkg:mozilla/Firefox@3.0.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.0.9" } ], "aliases": [ "CVE-2009-1311" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y9mx-my5e-6qbp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2651?format=api", "vulnerability_id": "VCID-yggq-y333-67cq", "summary": "Mozilla community member Michael reported that\nwhen a server responds with a Refresh header containing a\njavascript: URI, Firefox will redirect to the javascript: URI. If an\nattacker could inject a Refresh header into a server\nresponse, or could control the value that a site places in\nthe Refresh header, they could use this vulnerability to\nperform an XSS attack and execute arbitrary JavaScript within the\ncontext of that site.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1312", "reference_id": "CVE-2009-1312", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1312" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2009-22", "reference_id": "mfsa2009-22", "reference_type": "", "scores": [ { "value": "none", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2009-22" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1113?format=api", "purl": "pkg:mozilla/Firefox@3.0.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.0.9" } ], "aliases": [ "CVE-2009-1312" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yggq-y333-67cq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2639?format=api", "vulnerability_id": "VCID-zx6d-t279-j7aj", "summary": "Security researcher Prateek Saxena reported that a\nmalicious MozSearch plugin could be created using a javascript: URI in\nthe SearchForm value. This URI is used as the default\nlanding page when an empty search is performed. If an attacker could\nget a user to install the malicious plugin and perform an empty\nsearch, the SearchForm javascript: URI would be executed\nwithin the context of the currently open page.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1310", "reference_id": "CVE-2009-1310", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1310" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2009-20", "reference_id": "mfsa2009-20", "reference_type": "", "scores": [ { "value": "low", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2009-20" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1113?format=api", "purl": "pkg:mozilla/Firefox@3.0.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.0.9" } ], "aliases": [ "CVE-2009-1310" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zx6d-t279-j7aj" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.0.9" }