{"url":"http://public2.vulnerablecode.io/api/packages/1121?format=json","purl":"pkg:mozilla/Firefox@3.0.13","type":"mozilla","namespace":"","name":"Firefox","version":"3.0.13","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"3.0.14","latest_non_vulnerable_version":"151.0.3","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2602?format=json","vulnerability_id":"VCID-366w-42za-1qb1","summary":"Security researcher Juan Pablo Lopez Yacubian\nreported that an attacker could call window.open() on an\ninvalid URL which looks similar to a legitimate URL and then\nuse document.write() to place content within the new\ndocument, appearing to have come from the spoofed location.\nAdditionally, if the spoofed document was created by a document with a\nvalid SSL certificate, the SSL indicators would be carried over into\nthe spoofed document.  An attacker could use these issues to display\nmisleading location and SSL information for a malicious web page.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-2654.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-2654.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-2654","reference_id":"","reference_type":"","scores":[{"value":"0.13196","scoring_system":"epss","scoring_elements":"0.94273","published_at":"2026-06-06T12:55:00Z"},{"value":"0.13196","scoring_system":"epss","scoring_elements":"0.94263","published_at":"2026-06-04T12:55:00Z"},{"value":"0.13196","scoring_system":"epss","scoring_elements":"0.94272","published_at":"2026-06-05T12:55:00Z"},{"value":"0.13196","scoring_system":"epss","scoring_elements":"0.94279","published_at":"2026-06-09T12:55:00Z"},{"value":"0.13196","scoring_system":"epss","scoring_elements":"0.94275","published_at":"2026-06-07T12:55:00Z"},{"value":"0.13196","scoring_system":"epss","scoring_elements":"0.94274","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-2654"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=521311","reference_id":"521311","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=521311"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2654","reference_id":"CVE-2009-2654","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2654"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/remote/33103.html","reference_id":"CVE-2009-2654;OSVDB-56717","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/remote/33103.html"},{"reference_url":"https://www.securityfocus.com/bid/35803/info","reference_id":"CVE-2009-2654;OSVDB-56717","reference_type":"exploit","scores":[],"url":"https://www.securityfocus.com/bid/35803/info"},{"reference_url":"https://security.gentoo.org/glsa/201301-01","reference_id":"GLSA-201301-01","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201301-01"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2009-44","reference_id":"mfsa2009-44","reference_type":"","scores":[{"value":"none","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2009-44"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:1430","reference_id":"RHSA-2009:1430","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:1430"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:1431","reference_id":"RHSA-2009:1431","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:1431"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:1432","reference_id":"RHSA-2009:1432","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:1432"},{"reference_url":"https://usn.ubuntu.com/811-1/","reference_id":"USN-811-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/811-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1121?format=json","purl":"pkg:mozilla/Firefox@3.0.13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.0.13"},{"url":"http://public2.vulnerablecode.io/api/packages/1120?format=json","purl":"pkg:mozilla/Firefox@3.5.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.5.2"}],"aliases":["CVE-2009-2654"],"risk_score":0.2,"exploitability":"2.0","weighted_severity":"0.1","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-366w-42za-1qb1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2642?format=json","vulnerability_id":"VCID-jppt-hyxw-gqa8","summary":"Mozilla developers and community members identified and fixed\nseveral stability bugs in the browser engine used in Firefox and other\nMozilla-based products. Some of these crashes showed evidence of\nmemory corruption under certain circumstances and we presume that with\nenough effort at least some of these could be exploited to run\narbitrary code.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-2662","reference_id":"","reference_type":"","scores":[{"value":"0.07076","scoring_system":"epss","scoring_elements":"0.91664","published_at":"2026-06-04T12:55:00Z"},{"value":"0.07076","scoring_system":"epss","scoring_elements":"0.91676","published_at":"2026-06-07T12:55:00Z"},{"value":"0.07076","scoring_system":"epss","scoring_elements":"0.91679","published_at":"2026-06-06T12:55:00Z"},{"value":"0.07076","scoring_system":"epss","scoring_elements":"0.91674","published_at":"2026-06-08T12:55:00Z"},{"value":"0.07076","scoring_system":"epss","scoring_elements":"0.91688","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-2662"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2662","reference_id":"CVE-2009-2662","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2662"},{"reference_url":"https://security.gentoo.org/glsa/201301-01","reference_id":"GLSA-201301-01","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201301-01"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2009-45","reference_id":"mfsa2009-45","reference_type":"","scores":[{"value":"critical","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2009-45"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1121?format=json","purl":"pkg:mozilla/Firefox@3.0.13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.0.13"},{"url":"http://public2.vulnerablecode.io/api/packages/1120?format=json","purl":"pkg:mozilla/Firefox@3.5.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.5.2"}],"aliases":["CVE-2009-2662"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jppt-hyxw-gqa8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2623?format=json","vulnerability_id":"VCID-qtgw-bjrx-sug7","summary":"IOActive security researcher Dan Kaminsky reported a\nmismatch in the treatment of domain names in SSL certificates between SSL\nclients and the Certificate Authorities (CA) which issue server certificates.\nIn particular, if a malicious person requested a certificate for a host name\nwith an invalid null character in it most CAs would issue the\ncertificate if the requester owned the domain specified after the null, while\nmost SSL clients (browsers) ignored that part of the name and used the\nunvalidated part in front of the null. This made it possible for attackers to\nobtain certificates that would function for any site they wished to target.\nThese certificates could be used to intercept and potentially alter encrypted\ncommunication between the client and a server such as sensitive bank\naccount transactions.This vulnerability was independently reported to us by researcher\nMoxie Marlinspike who also noted that since Firefox\nrelies on SSL to protect the integrity of security updates this attack\ncould be used to serve malicious updates. Mozilla would like to thank Dan and the Microsoft Vulnerability\nResearch team for coordinating a multiple-vendor response to this problem.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-2408.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-2408.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-2408","reference_id":"","reference_type":"","scores":[{"value":"0.01855","scoring_system":"epss","scoring_elements":"0.83401","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01855","scoring_system":"epss","scoring_elements":"0.83376","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01855","scoring_system":"epss","scoring_elements":"0.834","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01855","scoring_system":"epss","scoring_elements":"0.83404","published_at":"2026-06-09T12:55:00Z"},{"value":"0.01855","scoring_system":"epss","scoring_elements":"0.83398","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01855","scoring_system":"epss","scoring_elements":"0.8339","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-2408"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=510251","reference_id":"510251","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=510251"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539934","reference_id":"539934","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539934"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408","reference_id":"CVE-2009-2408","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408"},{"reference_url":"https://security.gentoo.org/glsa/201301-01","reference_id":"GLSA-201301-01","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201301-01"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2009-42","reference_id":"mfsa2009-42","reference_type":"","scores":[{"value":"critical","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2009-42"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:1184","reference_id":"RHSA-2009:1184","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:1184"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:1186","reference_id":"RHSA-2009:1186","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:1186"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:1190","reference_id":"RHSA-2009:1190","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:1190"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:1207","reference_id":"RHSA-2009:1207","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:1207"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:1432","reference_id":"RHSA-2009:1432","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:1432"},{"reference_url":"https://usn.ubuntu.com/810-1/","reference_id":"USN-810-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/810-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1121?format=json","purl":"pkg:mozilla/Firefox@3.0.13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.0.13"},{"url":"http://public2.vulnerablecode.io/api/packages/1111?format=json","purl":"pkg:mozilla/Firefox@3.5.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.5.0"}],"aliases":["CVE-2009-2408"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qtgw-bjrx-sug7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2671?format=json","vulnerability_id":"VCID-veuq-5jdf-tfcr","summary":"Moxie Marlinspike reported a heap overflow vulnerability\nin the code that handles regular expressions in certificate names. This\nvulnerability could be used to compromise the browser and run arbitrary code\nby presenting a specially crafted certificate to the client. This code\nprovided compatibility with the non-standard regular expression syntax\nhistorically supported by Netscape clients and servers. With version 3.5\nFirefox switched to the more limited industry-standard wildcard syntax\ninstead and is not vulnerable to this flaw.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-2404.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-2404.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-2404","reference_id":"","reference_type":"","scores":[{"value":"0.21024","scoring_system":"epss","scoring_elements":"0.95752","published_at":"2026-06-04T12:55:00Z"},{"value":"0.21024","scoring_system":"epss","scoring_elements":"0.95757","published_at":"2026-06-05T12:55:00Z"},{"value":"0.21024","scoring_system":"epss","scoring_elements":"0.95761","published_at":"2026-06-06T12:55:00Z"},{"value":"0.21024","scoring_system":"epss","scoring_elements":"0.95762","published_at":"2026-06-08T12:55:00Z"},{"value":"0.21024","scoring_system":"epss","scoring_elements":"0.95766","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-2404"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=512912","reference_id":"512912","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=512912"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539934","reference_id":"539934","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539934"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2404","reference_id":"CVE-2009-2404","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2404"},{"reference_url":"https://security.gentoo.org/glsa/201301-01","reference_id":"GLSA-201301-01","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201301-01"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2009-43","reference_id":"mfsa2009-43","reference_type":"","scores":[{"value":"critical","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2009-43"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:1184","reference_id":"RHSA-2009:1184","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:1184"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:1185","reference_id":"RHSA-2009:1185","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:1185"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:1186","reference_id":"RHSA-2009:1186","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:1186"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:1190","reference_id":"RHSA-2009:1190","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:1190"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:1207","reference_id":"RHSA-2009:1207","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:1207"},{"reference_url":"https://usn.ubuntu.com/810-1/","reference_id":"USN-810-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/810-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1121?format=json","purl":"pkg:mozilla/Firefox@3.0.13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.0.13"},{"url":"http://public2.vulnerablecode.io/api/packages/1111?format=json","purl":"pkg:mozilla/Firefox@3.5.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.5.0"}],"aliases":["CVE-2009-2404"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-veuq-5jdf-tfcr"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.0.13"}