Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1055?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1055?format=api", "purl": "pkg:mozilla/Firefox%20ESR@10.0.8", "type": "mozilla", "namespace": "", "name": "Firefox ESR", "version": "10.0.8", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "10.0.9", "latest_non_vulnerable_version": "140.11.0", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2301?format=api", "vulnerability_id": "VCID-1z2q-kuap-wkfk", "summary": "Security researcher Mariusz Mlynski reported that the\nlocation property can be accessed by binary plugins through\ntop.location and top can be shadowed by\nObject.defineProperty as well. This can allow for possible\ncross-site scripting (XSS) attacks through plugins.\nIn general these flaws cannot be exploited through email in the\nThunderbird and SeaMonkey products because scripting is disabled, but are\npotentially a risk in browser or browser-like contexts in those products.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3994", "reference_id": "CVE-2012-3994", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3994" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2012-82", "reference_id": "mfsa2012-82", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2012-82" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1055?format=api", "purl": "pkg:mozilla/Firefox%20ESR@10.0.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@10.0.8" } ], "aliases": [ "CVE-2012-3994" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1z2q-kuap-wkfk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2325?format=api", "vulnerability_id": "VCID-2gcp-9sky-3ffp", "summary": "Security researcher Mariusz Mlynski reported an issue with\nspoofing of the location property. In this issue, writes to\nlocation.hash can be used in concert with scripted history\nnavigation to cause a specific website to be loaded into the history object. The\nbaseURI can then be changed to this stored site, allowing an attacker to inject\na script or intercept posted data posted to a location specified with a relative\npath.\nIn general these flaws cannot be exploited through email in the\nThunderbird and SeaMonkey products because scripting is disabled, but are\npotentially a risk in browser or browser-like contexts in those products.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3992", "reference_id": "CVE-2012-3992", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3992" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2012-84", "reference_id": "mfsa2012-84", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2012-84" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1055?format=api", "purl": "pkg:mozilla/Firefox%20ESR@10.0.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@10.0.8" } ], "aliases": [ "CVE-2012-3992" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2gcp-9sky-3ffp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2251?format=api", "vulnerability_id": "VCID-3x39-wrcj-r7f1", "summary": "Security researcher Abhishek Arya (Inferno) of the Google\nChrome Security Team discovered a series of use-after-free, buffer overflow, and\nout of bounds read issues using the Address Sanitizer tool in shipped software.\nThese issues are potentially exploitable, allowing for remote code execution.\nWe would also like to thank Abhishek for reporting two additional use-after-free\nflaws introduced during Firefox 16 development and fixed before general release. \nIn general these flaws cannot be exploited through email in the\nThunderbird and SeaMonkey products because scripting is disabled, but are\npotentially a risk in browser or browser-like contexts in those products.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3995", "reference_id": "CVE-2012-3995", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3995" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2012-85", "reference_id": "mfsa2012-85", "reference_type": "", "scores": [ { "value": "critical", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2012-85" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1055?format=api", "purl": "pkg:mozilla/Firefox%20ESR@10.0.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@10.0.8" } ], "aliases": [ "CVE-2012-3995" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3x39-wrcj-r7f1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2280?format=api", "vulnerability_id": "VCID-c145-1rm9-m3ez", "summary": "Security researcher Atte Kettunen from OUSPG reported\nseveral heap memory corruption issues found using the Address Sanitizer tool.\nThese issues are potentially exploitable, allowing for remote code execution.\nIn general these flaws cannot be exploited through email in the\nThunderbird and SeaMonkey products because scripting is disabled, but are\npotentially a risk in browser or browser-like contexts in those products.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4185", "reference_id": "CVE-2012-4185", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4185" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2012-86", "reference_id": "mfsa2012-86", "reference_type": "", "scores": [ { "value": "critical", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2012-86" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1055?format=api", "purl": "pkg:mozilla/Firefox%20ESR@10.0.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@10.0.8" } ], "aliases": [ "CVE-2012-4185" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c145-1rm9-m3ez" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2388?format=api", "vulnerability_id": "VCID-esqz-7rhk-vugx", "summary": "Mozilla developers identified and fixed several memory safety bugs in the\nbrowser engine used in Firefox and other Mozilla-based products. Some of these\nbugs showed evidence of memory corruption under certain circumstances, and we\npresume that with enough effort at least some of these could be exploited to run\narbitrary code.In general these flaws cannot be exploited through email in the Thunderbird\nand SeaMonkey products because scripting is disabled, but are potentially a risk\nin browser or browser-like contexts in those products.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3983", "reference_id": "CVE-2012-3983", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3983" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2012-74", "reference_id": "mfsa2012-74", "reference_type": "", "scores": [ { "value": "critical", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2012-74" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1055?format=api", "purl": "pkg:mozilla/Firefox%20ESR@10.0.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@10.0.8" } ], "aliases": [ "CVE-2012-3983" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-esqz-7rhk-vugx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2387?format=api", "vulnerability_id": "VCID-f5ve-9rj6-2qhd", "summary": "Security researcher miaubiz used the Address Sanitizer tool\nto discover a use-after-free in the IME State Manager code. This could lead to a\npotentially exploitable crash. \nIn general these flaws cannot be exploited through email in the\nThunderbird and SeaMonkey products because scripting is disabled, but are\npotentially a risk in browser or browser-like contexts in those products.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3990", "reference_id": "CVE-2012-3990", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3990" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2012-87", "reference_id": "mfsa2012-87", "reference_type": "", "scores": [ { "value": "critical", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2012-87" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1055?format=api", "purl": "pkg:mozilla/Firefox%20ESR@10.0.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@10.0.8" } ], "aliases": [ "CVE-2012-3990" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f5ve-9rj6-2qhd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2348?format=api", "vulnerability_id": "VCID-m66w-2zgj-kqhr", "summary": "Security researcher Soroush Dalili reported that a\ncombination of invoking full screen mode and navigating backwards in history\ncould, in some circumstances, cause a hang or crash due to a timing dependent\nuse-after-free pointer reference. This crash may be potentially exploitable.\nIn general these flaws cannot be exploited through email in the\nThunderbird and SeaMonkey products because scripting is disabled, but are\npotentially a risk in browser or browser-like contexts in those products.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3988", "reference_id": "CVE-2012-3988", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3988" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2012-79", "reference_id": "mfsa2012-79", "reference_type": "", "scores": [ { "value": "critical", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2012-79" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1055?format=api", "purl": "pkg:mozilla/Firefox%20ESR@10.0.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@10.0.8" } ], "aliases": [ "CVE-2012-3988" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m66w-2zgj-kqhr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2290?format=api", "vulnerability_id": "VCID-mq5h-749h-53ff", "summary": "Mozilla developer Johnny Stenback discovered that several\nmethods of a feature used for testing (DOMWindowUtils) are not protected by\nexisting security checks, allowing these methods to be called through script by\nweb pages. This was addressed by adding the existing security checks to these\nmethods.\nIn general these flaws cannot be exploited through email in the\nThunderbird and SeaMonkey products because scripting is disabled, but are\npotentially a risk in browser or browser-like contexts in those products.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3986", "reference_id": "CVE-2012-3986", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3986" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2012-77", "reference_id": "mfsa2012-77", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2012-77" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1055?format=api", "purl": "pkg:mozilla/Firefox%20ESR@10.0.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@10.0.8" } ], "aliases": [ "CVE-2012-3986" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mq5h-749h-53ff" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2293?format=api", "vulnerability_id": "VCID-shqz-mtvs-6ffy", "summary": "Mozilla community member Alice White reported that when the\nGetProperty function is invoked through JSAPI, security checking\ncan be bypassed when getting cross-origin properties. This potentially allowed\nfor arbitrary code execution. \nIn general these flaws cannot be exploited through email in the\nThunderbird and SeaMonkey products because scripting is disabled, but are\npotentially a risk in browser or browser-like contexts in those products.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3991", "reference_id": "CVE-2012-3991", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3991" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2012-81", "reference_id": "mfsa2012-81", "reference_type": "", "scores": [ { "value": "critical", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2012-81" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1055?format=api", "purl": "pkg:mozilla/Firefox%20ESR@10.0.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@10.0.8" } ], "aliases": [ "CVE-2012-3991" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-shqz-mtvs-6ffy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2258?format=api", "vulnerability_id": "VCID-up5d-dcg6-3fab", "summary": "Security researcher Mariusz Mlynski reported that it is possible to shadow the location object using Object.defineProperty. This could be used to confuse the current location to plugins, allowing for possible cross-site scripting (XSS) attacks.\nUpdate October 9, 2012: This advisory was updated to reflect the fact that bug 756719 was also fixed in ESR 10.0.8.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1956", "reference_id": "CVE-2012-1956", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1956" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2012-59", "reference_id": "mfsa2012-59", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2012-59" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1055?format=api", "purl": "pkg:mozilla/Firefox%20ESR@10.0.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@10.0.8" } ], "aliases": [ "CVE-2012-1956" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-up5d-dcg6-3fab" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2330?format=api", "vulnerability_id": "VCID-wtfj-hrtt-z7d9", "summary": "Security researcher Mariusz Mlynski reported that when\nInstallTrigger fails, it throws an error wrapped in a Chrome Object Wrapper\n(COW) that fails to specify exposed properties. These can then be added to the\nresulting object by an attacker, allowing access to chrome privileged functions\nthrough script.\nWhile investigating this issue, Mozilla security researcher\nmoz_bug_r_a4 found that COW did not disallow accessing of\nproperties from a standard prototype in some situations, even when the original\nissue had been fixed.\nThese issues could allow for a cross-site scripting (XSS) attack or arbitrary\ncode execution. \nIn general these flaws cannot be exploited through email in the\nThunderbird and SeaMonkey products because scripting is disabled, but are\npotentially a risk in browser or browser-like contexts in those products.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3993", "reference_id": "CVE-2012-3993", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3993" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2012-83", "reference_id": "mfsa2012-83", "reference_type": "", "scores": [ { "value": "critical", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2012-83" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1055?format=api", "purl": "pkg:mozilla/Firefox%20ESR@10.0.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@10.0.8" } ], "aliases": [ "CVE-2012-3993" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wtfj-hrtt-z7d9" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@10.0.8" }