Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1265?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1265?format=api", "purl": "pkg:mozilla/SeaMonkey@1.0.8", "type": "mozilla", "namespace": "", "name": "SeaMonkey", "version": "1.0.8", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "1.0.9", "latest_non_vulnerable_version": "2.38.0", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/3134?format=api", "vulnerability_id": "VCID-1j51-1nhr-53fd", "summary": "iDefense \nhas informed Mozilla about two potential buffer overflow\nvulnerabilities found by researcher regenrecht\nin the Network Security Services (NSS) code for processing \nthe SSLv2 protocol.SSL clients such as Firefox and Thunderbird can suffer\na buffer overflow if a malicious server presents a certificate\nwith a public key that is too small to encrypt the entire\n\"Master Secret\". Exploiting this overflow appears to be\nunreliable but possible if the SSLv2 protocol is enabled.Servers that use NSS \nfor the SSLv2 protocol can be exploited by\na client that presents a \"Client Master Key\" with invalid length\nvalues in any of several fields that are used without adequate\nerror checking. This can lead to a buffer overflow that\npresumably could be exploitable.Support for SSLv2 is disabled in Firefox 2 due to other known\nweaknesses in the protocol; Firefox 2 is not vulnerable unless\nthe user has modified hidden internal NSS settings to\nre-enable SSLv2 support.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0008", "reference_id": "CVE-2007-0008", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0008" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2007-06", "reference_id": "mfsa2007-06", "reference_type": "", "scores": [ { "value": "critical", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2007-06" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1265?format=api", "purl": "pkg:mozilla/SeaMonkey@1.0.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/SeaMonkey@1.0.8" } ], "aliases": [ "CVE-2007-0008" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1j51-1nhr-53fd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/3101?format=api", "vulnerability_id": "VCID-94fg-bbsu-nfbk", "summary": "", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0995", "reference_id": "CVE-2007-0995", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0995" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2007-02", "reference_id": "mfsa2007-02", "reference_type": "", "scores": [ { "value": "low", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2007-02" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1265?format=api", "purl": "pkg:mozilla/SeaMonkey@1.0.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/SeaMonkey@1.0.8" } ], "aliases": [ "CVE-2007-0995" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-94fg-bbsu-nfbk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/3136?format=api", "vulnerability_id": "VCID-f2kp-75dy-juep", "summary": "Michal Zalewski demonstrated that setting location.hostname\nto a value with embedded null characters can confuse the browsers domain\nchecks. Setting the value triggers a load, but the networking software reads\nthe hostname only up to the null character while other checks for \"parent\ndomain\" start at the right and so can have a completely different idea of what\nthe current host is.This cannot be used for a direct same-origin violation to perform cross-site\nscripting: those checks are performed on the complete hostname including\nthe nulls. However, other mechanisms rely on matching parent domains and those\ncan be fooled by this trick. For example, this flaw allows a malicious page\nto set domain cookies for any arbitrary site, which might be useful in a\nsession-fixation attack. This also allows setting document.domain to any\narbitrary value which could be used to perform a cross-site scripting\nattack against any page which also sets document.domain.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0981", "reference_id": "CVE-2007-0981", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0981" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2007-07", "reference_id": "mfsa2007-07", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2007-07" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1265?format=api", "purl": "pkg:mozilla/SeaMonkey@1.0.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/SeaMonkey@1.0.8" } ], "aliases": [ "CVE-2007-0981" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f2kp-75dy-juep" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/3140?format=api", "vulnerability_id": "VCID-ffnp-4cx7-4ucu", "summary": "Aad reported that two web pages can collide in the disk cache\nwith the result that depending on order loaded the end of the longer\ndocument can be appended to the shorter when the shorter is reloaded from\nthe cache. It is possible a determined hacker could construct a targeted\nattack to steal some sensitive data from a particular web page (for example,\ntransaction history from a financial account). The potential victim would\nhave to be already logged into the targeted service (or be fooled into doing\nso) and then visit the malicious site.We have not calculated how much effort would be required to compute a colliding\nURL on a different host from the target page.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0778", "reference_id": "CVE-2007-0778", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0778" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2007-03", "reference_id": "mfsa2007-03", "reference_type": "", "scores": [ { "value": "none", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2007-03" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1265?format=api", "purl": "pkg:mozilla/SeaMonkey@1.0.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/SeaMonkey@1.0.8" } ], "aliases": [ "CVE-2007-0778" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ffnp-4cx7-4ucu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/3109?format=api", "vulnerability_id": "VCID-hbzv-jkrg-nudr", "summary": "moz_bug_r_a4 reports that the fix for\n\nMFSA 2006-72 in Firefox 1.5.0.9 and Firefox 2.0.0.1\nintroduced a regression that allows scripts from web content\nto execute arbitrary code by setting the src\nattribute of an IMG tag to a specially crafted\njavascript: URI.The same regression also caused javascript: URIs in\nIMG tags to be executed even if JavaScript\nexecution was disabled in the global preferences. This facet was\nnoted by moz_bug_r_a4 and reported independently by\nAnbo Motohiko.Thunderbird is not affected by this flaw as it will not execute\njavascript: URIs in IMG tags.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0994", "reference_id": "CVE-2007-0994", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0994" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2007-09", "reference_id": "mfsa2007-09", "reference_type": "", "scores": [ { "value": "critical", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2007-09" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1265?format=api", "purl": "pkg:mozilla/SeaMonkey@1.0.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/SeaMonkey@1.0.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/1266?format=api", "purl": "pkg:mozilla/SeaMonkey@1.1.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/SeaMonkey@1.1.1" } ], "aliases": [ "CVE-2007-0994" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hbzv-jkrg-nudr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/3129?format=api", "vulnerability_id": "VCID-ppd4-9vpc-rkg4", "summary": "shutdown reported that if you could convince a user to\nopen a blocked popup you could perform a cross-site scripting attack against\nany site that contains a frame whose source is a data: URL. To accomplish this\nthe attacker's site would have to frame the target site plus another frame\nwhose source is the exact same data: url as the victim site, and then\nattempt to open a popup with a javascript: url from the data: frame. It is\nunclear whether any high-value target sites that match this description\nactually exist.Similarly, Michal Zalewski reported that although pages\nloaded from the web normally cannot open windows containing local files,\nif you could convince a user to open a blocked popup then this restriction\ncould be bypassed. In order to take advantage of this flaw the attacker\nwould have to know the full path to a locally-saved file containing\nmalicious script. He also reported that a flaw in the seeding of the\npseudo-random number generator resulted in downloaded files being\nsaved to temporary files with a reasonably predictable name. The two combined\ncould be used to steal information saved on the local disk.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0780", "reference_id": "CVE-2007-0780", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0780" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2007-05", "reference_id": "mfsa2007-05", "reference_type": "", "scores": [ { "value": "none", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2007-05" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1265?format=api", "purl": "pkg:mozilla/SeaMonkey@1.0.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/SeaMonkey@1.0.8" } ], "aliases": [ "CVE-2007-0780" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ppd4-9vpc-rkg4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/3105?format=api", "vulnerability_id": "VCID-rxjp-56cu-r7c2", "summary": "As part of the Firefox 2.0.0.2 and 1.5.0.10 update releases we fixed\nseveral bugs to improve the stability of the product. Some of these were\ncrashes that showed evidence of memory corruption and we presume that\nwith enough effort at least some of these could be exploited to run\narbitrary code.Thunderbird shares the browser engine with Firefox\nand could be vulnerable if JavaScript were to be enabled in\nmail. This is not the default setting and we strongly discourage users from\nrunning JavaScript in mail. Without further investigation we cannot rule out\nthe possibility that for some of these an attacker might be able to prepare\nmemory for exploitation through some means other than JavaScript, such as\nlarge images.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0775", "reference_id": "CVE-2007-0775", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0775" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2007-01", "reference_id": "mfsa2007-01", "reference_type": "", "scores": [ { "value": "critical", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2007-01" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1265?format=api", "purl": "pkg:mozilla/SeaMonkey@1.0.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/SeaMonkey@1.0.8" } ], "aliases": [ "CVE-2007-0775" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rxjp-56cu-r7c2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/3115?format=api", "vulnerability_id": "VCID-t7af-aka8-jyhj", "summary": "David Eckel reported that browser UI elements--such as the host name\nand security indicators--could be spoofed by using a large, mostly\ntransparent, custom cursor and adjusting the CSS3 hotspot property\nso that the visible part of the cursor floated outside the browser\ncontent area.This feature was introduced in Firefox 1.5 and does not affect products\nbased on Mozilla 1.7 or earlier such as Firefox 1.0", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0779", "reference_id": "CVE-2007-0779", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0779" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2007-04", "reference_id": "mfsa2007-04", "reference_type": "", "scores": [ { "value": "low", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2007-04" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1265?format=api", "purl": "pkg:mozilla/SeaMonkey@1.0.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/SeaMonkey@1.0.8" } ], "aliases": [ "CVE-2007-0779" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t7af-aka8-jyhj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/3114?format=api", "vulnerability_id": "VCID-vnz7-xw1b-6bdx", "summary": "Michal Zalewski reported a memory corruption vulnerability in Firefox\n2.0.0.1 involving mixing the onUnload event handler and self-modifying\ndocument.write() calls. This flaw was introduced in Firefox 2.0.0.1\nand 1.5.0.9 and does not affect earlier versions; it is fixed in\nFirefox 2.0.0.2 and 1.5.0.10", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1092", "reference_id": "CVE-2007-1092", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1092" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2007-08", "reference_id": "mfsa2007-08", "reference_type": "", "scores": [ { "value": "critical", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2007-08" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1265?format=api", "purl": "pkg:mozilla/SeaMonkey@1.0.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/SeaMonkey@1.0.8" } ], "aliases": [ "CVE-2007-1092" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vnz7-xw1b-6bdx" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/SeaMonkey@1.0.8" }