Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1160?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1160?format=api", "purl": "pkg:mozilla/Firefox@27.0.0", "type": "mozilla", "namespace": "", "name": "Firefox", "version": "27.0.0", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "28.0.0", "latest_non_vulnerable_version": "151.0.0", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2701?format=api", "vulnerability_id": "VCID-1fej-m4eu-syax", "summary": "Mozilla developer Boris Zbarsky reported an inconsistency\nwith the different JavaScript engines in how JavaScript native getters on\nwindow objects are handled by these engines. This inconsistency can\nlead to different behaviors in JavaScript code, allowing for a potential\nsecurity issue with window handling by bypassing of some security checks. \nIn general this flaw cannot be exploited through email in the\nThunderbird and Seamonkey products because scripting is disabled in mail, but is\npotentially a risk in browser or browser-like contexts.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1481", "reference_id": "CVE-2014-1481", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1481" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2014-13", "reference_id": "mfsa2014-13", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2014-13" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1160?format=api", "purl": "pkg:mozilla/Firefox@27.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@27.0.0" } ], "aliases": [ "CVE-2014-1481" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1fej-m4eu-syax" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2764?format=api", "vulnerability_id": "VCID-cyn8-qgtg-eqa7", "summary": "Security researcher Jordan Milne reported an information\nleak where document.caretPositionFromPoint and\ndocument.elementFromPoint functions could be used on a cross-origin\niframe to gain information on the iframe's DOM and other attributes through a\ntiming attack, violating same-origin policy.\n\nIn general this flaw cannot be exploited through email in the\nSeamonkey product because scripting is disabled in mail, but is potentially a\nrisk in browser or browser-like contexts.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1483", "reference_id": "CVE-2014-1483", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1483" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2014-05", "reference_id": "mfsa2014-05", "reference_type": "", "scores": [ { "value": "none", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2014-05" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1160?format=api", "purl": "pkg:mozilla/Firefox@27.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@27.0.0" } ], "aliases": [ "CVE-2014-1483" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cyn8-qgtg-eqa7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2707?format=api", "vulnerability_id": "VCID-e4nd-kjf2-yfav", "summary": "Fredrik 'Flonka' Lönnqvist discovered an issue with image\ndecoding in RasterImage caused by continued use of discarded\nimages. This could allow for the writing to unowned memory and a potentially\nexploitable crash.\nIn general this flaw cannot be exploited through email in the\nThunderbird and Seamonkey products because scripting is disabled in mail, but is\npotentially a risk in browser or browser-like contexts.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1482", "reference_id": "CVE-2014-1482", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1482" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2014-04", "reference_id": "mfsa2014-04", "reference_type": "", "scores": [ { "value": "critical", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2014-04" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1160?format=api", "purl": "pkg:mozilla/Firefox@27.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@27.0.0" } ], "aliases": [ "CVE-2014-1482" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e4nd-kjf2-yfav" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2740?format=api", "vulnerability_id": "VCID-jgcv-d13t-cyh2", "summary": "Mozilla developers and community identified identified and fixed several\nmemory safety bugs in the browser engine used in Firefox and other Mozilla-based\nproducts. Some of these bugs showed evidence of memory corruption under certain\ncircumstances, and we presume that with enough effort at least some of these\ncould be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the\nThunderbird and Seamonkey products because scripting is disabled, but are\npotentially a risk in browser or browser-like contexts.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1477", "reference_id": "CVE-2014-1477", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1477" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2014-01", "reference_id": "mfsa2014-01", "reference_type": "", "scores": [ { "value": "critical", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2014-01" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1160?format=api", "purl": "pkg:mozilla/Firefox@27.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@27.0.0" } ], "aliases": [ "CVE-2014-1477" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jgcv-d13t-cyh2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2772?format=api", "vulnerability_id": "VCID-kn9n-dpkn-d7bu", "summary": "Mozilla developer Brian Smith and security researchers\nAntoine Delignat-Lavaud and Karthikeyan\nBhargavan of the Prosecco research team at INRIA Paris reported issues\nwith ticket handling in the Network Security Services (NSS) libraries. These\nhave been addressed in the NSS 3.15.4 release, shipping on affected platforms.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1490", "reference_id": "CVE-2014-1490", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1490" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2014-12", "reference_id": "mfsa2014-12", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2014-12" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1160?format=api", "purl": "pkg:mozilla/Firefox@27.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@27.0.0" } ], "aliases": [ "CVE-2014-1490" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kn9n-dpkn-d7bu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2696?format=api", "vulnerability_id": "VCID-maa1-xr1m-eqez", "summary": "Mozilla security engineer Frederik Braun reported an issue\nwhere the implementation of Content Security Policy (CSP) is not in compliance\nwith the specification. XSLT stylesheets\nmust be subject to script-src directives but Mozilla's\nimplementation of CSP treats them as styles. This could lead to unexpected\nscript execution if the style-src directives were less restrictive\nthan those for scripts.\nIn general this flaw cannot be exploited through email in the\nSeamonkey product because scripting is disabled in mail, but is potentially a\nrisk in browser or browser-like contexts.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1485", "reference_id": "CVE-2014-1485", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1485" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2014-07", "reference_id": "mfsa2014-07", "reference_type": "", "scores": [ { "value": "none", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2014-07" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1160?format=api", "purl": "pkg:mozilla/Firefox@27.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@27.0.0" } ], "aliases": [ "CVE-2014-1485" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-maa1-xr1m-eqez" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2699?format=api", "vulnerability_id": "VCID-nn9p-156s-sbff", "summary": "Soeren Balko reported a crash when\nterminating a web worker running asm.js code after passing an\nobject between threads. This crash is potentially exploitable.\nIn general this flaw cannot be exploited through email in the\nThunderbird and Seamonkey products because scripting is disabled in mail, but is\npotentially a risk in browser or browser-like contexts.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1488", "reference_id": "CVE-2014-1488", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1488" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2014-11", "reference_id": "mfsa2014-11", "reference_type": "", "scores": [ { "value": "critical", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2014-11" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1160?format=api", "purl": "pkg:mozilla/Firefox@27.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@27.0.0" } ], "aliases": [ "CVE-2014-1488" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nn9p-156s-sbff" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2716?format=api", "vulnerability_id": "VCID-nrmk-8zfr-4kfm", "summary": "Security researcher Cody Crews reported a method to bypass\nSystem Only Wrappers (SOW) by using XML Binding Language (XBL) content scopes to\nclone protected XUL elements. This could be used to clone anonymous nodes,\nmaking trusted XUL content web accessible.\nIn general this flaw cannot be exploited through email in the\nThunderbird and Seamonkey products because scripting is disabled in mail, but is\npotentially a risk in browser or browser-like contexts.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1479", "reference_id": "CVE-2014-1479", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1479" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2014-02", "reference_id": "mfsa2014-02", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2014-02" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1160?format=api", "purl": "pkg:mozilla/Firefox@27.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@27.0.0" } ], "aliases": [ "CVE-2014-1479" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nrmk-8zfr-4kfm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2718?format=api", "vulnerability_id": "VCID-pbpu-yfyv-yugx", "summary": "Mozilla developer Roee Hay reported that Firefox for\nAndroid profile paths leak to the Android system log. When running on Android\n4.2 or earlier, other applications are able to read these log files, leading to\ninformation disclosure from the user's profile directory. This issue was also\nindependently reported by Mozilla developer Richard Newman.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1484", "reference_id": "CVE-2014-1484", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1484" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2014-06", "reference_id": "mfsa2014-06", "reference_type": "", "scores": [ { "value": "none", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2014-06" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1160?format=api", "purl": "pkg:mozilla/Firefox@27.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@27.0.0" } ], "aliases": [ "CVE-2014-1484" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pbpu-yfyv-yugx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2728?format=api", "vulnerability_id": "VCID-r8re-c8tm-skhm", "summary": "Security researcher Arthur Gerkis, via TippingPoint's Zero\nDay Initiative, reported a use-after-free during image processing from sites\nwith specific content types in concert with the imgRequestProxy\nfunction. This causes a potentially exploitable crash. \nIn general this flaw cannot be exploited through email in the\nThunderbird and Seamonkey products because scripting is disabled in mail, but is\npotentially a risk in browser or browser-like contexts.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1486", "reference_id": "CVE-2014-1486", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1486" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2014-08", "reference_id": "mfsa2014-08", "reference_type": "", "scores": [ { "value": "critical", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2014-08" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1160?format=api", "purl": "pkg:mozilla/Firefox@27.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@27.0.0" } ], "aliases": [ "CVE-2014-1486" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-r8re-c8tm-skhm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2779?format=api", "vulnerability_id": "VCID-sxun-heha-vqhd", "summary": "Security researcher Jordi Chancel reported that the dialog\nfor saving downloaded files did not implement a security timeout before button\nselections were processed. This could be used in concert with spoofing to\nconvince users to select a different option than intended, causing downloaded\nfiles to be potentially opened instead of only saved in some circumstances.\nIn general this flaw cannot be exploited through email in the\nSeamonkey product because scripting is disabled in mail, but is potentially a\nrisk in browser or browser-like contexts.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1480", "reference_id": "CVE-2014-1480", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1480" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2014-03", "reference_id": "mfsa2014-03", "reference_type": "", "scores": [ { "value": "none", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2014-03" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1160?format=api", "purl": "pkg:mozilla/Firefox@27.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@27.0.0" } ], "aliases": [ "CVE-2014-1480" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sxun-heha-vqhd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2787?format=api", "vulnerability_id": "VCID-vj8c-6ym3-67ba", "summary": "Yazan Tommalieh discovered a flaw that once users have\nviewed the default Firefox start page (about:home), subsequent pages they\nnavigate to in that same tab could use script to activate the buttons that were\non the about:home page. Most of these simply open Firefox dialogs such as\nSettings or History, which might alarm users. In some cases a malicious page\ncould trigger session restore and cause data loss if the current tabs are\nreplaced by a previously stored set.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1489", "reference_id": "CVE-2014-1489", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1489" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2014-10", "reference_id": "mfsa2014-10", "reference_type": "", "scores": [ { "value": "low", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2014-10" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1160?format=api", "purl": "pkg:mozilla/Firefox@27.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@27.0.0" } ], "aliases": [ "CVE-2014-1489" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vj8c-6ym3-67ba" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2720?format=api", "vulnerability_id": "VCID-wzp9-phdj-y3em", "summary": "Security researcher Masato Kinugawa reported a cross-origin\ninformation leak through web workers' error messages. This violates same-origin\npolicy and the leaked information could potentially be used to gather\nauthentication tokens and other data from third-party websites. \nIn general this flaw cannot be exploited through email in the\nThunderbird and Seamonkey products because scripting is disabled in mail, but is\npotentially a risk in browser or browser-like contexts.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1487", "reference_id": "CVE-2014-1487", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1487" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2014-09", "reference_id": "mfsa2014-09", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2014-09" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1160?format=api", "purl": "pkg:mozilla/Firefox@27.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@27.0.0" } ], "aliases": [ "CVE-2014-1487" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wzp9-phdj-y3em" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@27.0.0" }