{"url":"http://public2.vulnerablecode.io/api/packages/1228?format=json","purl":"pkg:mozilla/Firefox@40.0.0","type":"mozilla","namespace":"","name":"Firefox","version":"40.0.0","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"40.0.3","latest_non_vulnerable_version":"151.0.0","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/3079?format=json","vulnerability_id":"VCID-2crz-j51e-byc3","summary":"Security researcher Abhishek Arya (Inferno) of the Google\nChrome Security Team used the Address Sanitizer tool to discover two buffer\noverflow issues in the Libvpx library used for WebM video when decoding a\nmalformed WebM video file. These buffer overflows result in potentially\nexploitable crashes.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4485","reference_id":"CVE-2015-4485","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4485"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-89","reference_id":"mfsa2015-89","reference_type":"","scores":[{"value":"critical","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-89"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1228?format=json","purl":"pkg:mozilla/Firefox@40.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@40.0.0"}],"aliases":["CVE-2015-4485"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2crz-j51e-byc3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/3092?format=json","vulnerability_id":"VCID-59jz-5qv2-5yb1","summary":"Security researcher André Bargull reported non-configurable\nproperties on JavaScript objects can be redefined while parsing JSON in\nviolation of the ECMAScript 6 standard. This allows malicious web content to\nbypass same-origin policy by editing these properties to arbitrary values.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4478","reference_id":"CVE-2015-4478","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4478"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-82","reference_id":"mfsa2015-82","reference_type":"","scores":[{"value":"high","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-82"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1228?format=json","purl":"pkg:mozilla/Firefox@40.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@40.0.0"}],"aliases":["CVE-2015-4478"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-59jz-5qv2-5yb1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/3037?format=json","vulnerability_id":"VCID-7n87-9s1d-pkbk","summary":"Security researcher Masato Kinugawa reported that opening a\ntarget page using a POST to the url prefixed with the feed:\nprotocol disables the mixed content blocker for that page. This could allow for\nthe risk of a man-in-the-middle (MITM) scripting attack on pages that\naccidentally include insecure content which would otherwise be blocked.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4483","reference_id":"CVE-2015-4483","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4483"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-86","reference_id":"mfsa2015-86","reference_type":"","scores":[{"value":"low","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-86"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1228?format=json","purl":"pkg:mozilla/Firefox@40.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@40.0.0"}],"aliases":["CVE-2015-4483"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7n87-9s1d-pkbk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/3026?format=json","vulnerability_id":"VCID-adr4-axws-a3fp","summary":"Mozilla security engineer Christoph Kerschbaumer reported a\ndiscrepancy in Mozilla's implementation of Content Security Policy and the CSP specification. The specification\nstates that blob:, data:, and filesystem:\nURLs should be excluded in case of a wildcard when matching source expressions\nbut Mozilla's implementation allows these in the case of an asterisk wildcard.\nThis could allow for more permissive CSP usage than expected by a web developer,\npossibly allowing for cross-site scripting (XSS) attacks.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4490","reference_id":"CVE-2015-4490","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4490"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-91","reference_id":"mfsa2015-91","reference_type":"","scores":[{"value":"none","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-91"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1228?format=json","purl":"pkg:mozilla/Firefox@40.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@40.0.0"}],"aliases":["CVE-2015-4490"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-adr4-axws-a3fp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2967?format=json","vulnerability_id":"VCID-bndf-h1gn-dbhg","summary":"Security researcher Looben Yang discovered a use-after-free\nvulnerability when recursively calling .open() on an XMLHttpRequest\nin a SharedWorker.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4492","reference_id":"CVE-2015-4492","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4492"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-92","reference_id":"mfsa2015-92","reference_type":"","scores":[{"value":"high","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-92"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1228?format=json","purl":"pkg:mozilla/Firefox@40.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@40.0.0"}],"aliases":["CVE-2015-4492"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bndf-h1gn-dbhg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2997?format=json","vulnerability_id":"VCID-f9tb-p3ha-9ug6","summary":"Security researcher Aki Helin used the Address Sanitizer\ntool to discover an out-of-bounds read during playback of a malformed MP3 format\naudio file which switches sample formats. This could trigger a potentially\nexploitable crash or the reading of out-of-bounds memory content in some\ncircumstances.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4475","reference_id":"CVE-2015-4475","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4475"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-80","reference_id":"mfsa2015-80","reference_type":"","scores":[{"value":"high","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-80"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1228?format=json","purl":"pkg:mozilla/Firefox@40.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@40.0.0"}],"aliases":["CVE-2015-4475"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f9tb-p3ha-9ug6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2950?format=json","vulnerability_id":"VCID-gcfa-hdye-jqar","summary":"An anonymous researcher reported, via TippingPoint's Zero Day Initiative, two integer\noverflows in the libstagefright library that could be triggered by a malicious 'saio'\nchunk in an MPEG4 video. These overflows allowed for potential arbitrary code execution.\nThis issue was independently reported by security researcher laf.intel.Security researcher Massimiliano Tomassoli also discovered an\ninteger overflow issue when parsing an invalid MPEG4 video.Mozilla security engineers Tyson Smith and Christoph\nDiehl used the Address Sanitizer to find a buffer overflow when parsing an MPEG4\nvideo with an invalid size in an ESDS chunk lead to memory corruption.Each of these reported issues result in potentially exploitable crashes that\ncould allow for remote code execution.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4479","reference_id":"CVE-2015-4479","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4479"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-83","reference_id":"mfsa2015-83","reference_type":"","scores":[{"value":"critical","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-83"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1228?format=json","purl":"pkg:mozilla/Firefox@40.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@40.0.0"}],"aliases":["CVE-2015-4479"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gcfa-hdye-jqar"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2976?format=json","vulnerability_id":"VCID-hgqa-m8ub-f3dc","summary":"Mozilla developers and community identified and fixed several memory safety\nbugs in the browser engine used in Firefox and other Mozilla-based products.\nSome of these bugs showed evidence of memory corruption under certain\ncircumstances, and we presume that with enough effort at least some of these\ncould be exploited to run arbitrary code.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4473","reference_id":"CVE-2015-4473","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4473"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-79","reference_id":"mfsa2015-79","reference_type":"","scores":[{"value":"critical","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-79"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1228?format=json","purl":"pkg:mozilla/Firefox@40.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@40.0.0"}],"aliases":["CVE-2015-4473"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hgqa-m8ub-f3dc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2959?format=json","vulnerability_id":"VCID-j6jh-yqyy-qkbb","summary":"Security researcher Holger Fuhrmannek reported that if the\nUpdater opens a MAR\nformat file with a specially crafted name, an out-of-bounds write will occur.\nThis can lead to a potentially exploitable crash but requires that the malicious\nMAR format file be present on the local system and the Updater to be\nrun to use it.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4482","reference_id":"CVE-2015-4482","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4482"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-85","reference_id":"mfsa2015-85","reference_type":"","scores":[{"value":"high","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-85"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1228?format=json","purl":"pkg:mozilla/Firefox@40.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@40.0.0"}],"aliases":["CVE-2015-4482"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j6jh-yqyy-qkbb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/3013?format=json","vulnerability_id":"VCID-jst2-7b63-ubbj","summary":"Security researcher SkyLined reported a use-after-free issue\nin how audio is handled through the Web Audio API during\nMediaStream playback through interactions with the Web Audio API.\nThis results in a potentially exploitable crash.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4477","reference_id":"CVE-2015-4477","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4477"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-81","reference_id":"mfsa2015-81","reference_type":"","scores":[{"value":"critical","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-81"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1228?format=json","purl":"pkg:mozilla/Firefox@40.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@40.0.0"}],"aliases":["CVE-2015-4477"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jst2-7b63-ubbj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2949?format=json","vulnerability_id":"VCID-qtnf-u4kt-ybav","summary":"Security researcher Gustavo Grieco reported a heap overflow\nin gdk-pixbuf affecting Linux systems using Gnome. This issue is\ntriggered by the scaling of a malformed bitmap format image and results in a\npotentially exploitable crash.\nThis issue only affects Linux systems running Gnome. Windows and\nOS X operating systems are unaffected.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4491","reference_id":"CVE-2015-4491","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4491"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-88","reference_id":"mfsa2015-88","reference_type":"","scores":[{"value":"high","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-88"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1228?format=json","purl":"pkg:mozilla/Firefox@40.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@40.0.0"}],"aliases":["CVE-2015-4491"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qtnf-u4kt-ybav"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/3039?format=json","vulnerability_id":"VCID-syb1-nrzb-x3g9","summary":"Security researcher James Forshaw, security researcher with\nGoogle Project Zero, reported that the Mozilla Maintenance Service on Windows\ncan be made to write its log file in a restricted location with an arbitrary\nfile name through the use of a hard link by means of a race condition. This can\nallow the log file to overwrite another named file that a user would not have\nthe privileges to change. If the overwritten file is used as source input or\nscript by a program with elevated privileges, it could allow for an escalation\nof privilege attack. This requires local file system access and the ability to\nexecute local programs to be exploitable.\nThis issue only affects Windows systems. OS X and Linux\noperating systems are unaffected.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4481","reference_id":"CVE-2015-4481","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4481"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-84","reference_id":"mfsa2015-84","reference_type":"","scores":[{"value":"high","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-84"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1228?format=json","purl":"pkg:mozilla/Firefox@40.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@40.0.0"}],"aliases":["CVE-2015-4481"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-syb1-nrzb-x3g9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2923?format=json","vulnerability_id":"VCID-wjz2-h366-vbae","summary":"Security researcher Ronald Crane reported three\nvulnerabilities affecting released code that were found through code inspection.\nThese included one use of unowned memory, one use of a deleted object, and one\nmemory safety bug. These do not all have clear mechanisms to be exploited\nthrough web content but are vulnerable if a mechanism can be found to trigger\nthem.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4487","reference_id":"CVE-2015-4487","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4487"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-90","reference_id":"mfsa2015-90","reference_type":"","scores":[{"value":"high","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-90"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1228?format=json","purl":"pkg:mozilla/Firefox@40.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@40.0.0"}],"aliases":["CVE-2015-4487"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wjz2-h366-vbae"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2956?format=json","vulnerability_id":"VCID-x1fr-hs7k-e7hs","summary":"Security researcher Jukka Jylänki reported a crash that\noccurs because JavaScript, when using shared memory, does not properly gate\naccess to Atomics or SharedArrayBuffer views in some\ncontexts. This leads to a non-exploitable crash.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4484","reference_id":"CVE-2015-4484","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4484"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-87","reference_id":"mfsa2015-87","reference_type":"","scores":[{"value":"none","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-87"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1228?format=json","purl":"pkg:mozilla/Firefox@40.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@40.0.0"}],"aliases":["CVE-2015-4484"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x1fr-hs7k-e7hs"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@40.0.0"}