{"url":"http://public2.vulnerablecode.io/api/packages/1235?format=json","purl":"pkg:mozilla/Thunderbird@38.3.0","type":"mozilla","namespace":"","name":"Thunderbird","version":"38.3.0","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"38.4.0","latest_non_vulnerable_version":"151.0.0","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2995?format=json","vulnerability_id":"VCID-63se-aey7-4kdh","summary":"Mozilla developer Ehsan Akhgari reported two issues with Cross-origin\nresource sharing (CORS) \"preflight\" requests.The first issue is that in some circumstances the same cache key can be generated for\ntwo preflight requests on a site. As a result, if a second request is made that will match\nthe cached key generated by an earlier request, CORS checks will be bypassed because the\nsystem will see the previously cached request as applicable.In the second issue, when some Access-Control- headers are missing from\nCORS responses, the values from different Access-Control- headers can be used\nthat present in the same response. In general this flaw cannot be exploited through email in the\nThunderbird product because scripting is disabled, but is potentially a risk in\nbrowser or browser-like contexts.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-4520.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-4520.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-4520","reference_id":"","reference_type":"","scores":[{"value":"0.00592","scoring_system":"epss","scoring_elements":"0.69654","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00592","scoring_system":"epss","scoring_elements":"0.69607","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00592","scoring_system":"epss","scoring_elements":"0.69646","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00592","scoring_system":"epss","scoring_elements":"0.69653","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00592","scoring_system":"epss","scoring_elements":"0.69644","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00592","scoring_system":"epss","scoring_elements":"0.69633","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-4520"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1265781","reference_id":"1265781","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1265781"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4520","reference_id":"CVE-2015-4520","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4520"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-111","reference_id":"mfsa2015-111","reference_type":"","scores":[{"value":"high","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-111"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:1834","reference_id":"RHSA-2015:1834","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:1834"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:1852","reference_id":"RHSA-2015:1852","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:1852"},{"reference_url":"https://usn.ubuntu.com/2743-1/","reference_id":"USN-2743-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/2743-1/"},{"reference_url":"https://usn.ubuntu.com/2754-1/","reference_id":"USN-2754-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/2754-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1235?format=json","purl":"pkg:mozilla/Thunderbird@38.3.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@38.3.0"}],"aliases":["CVE-2015-4520"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-63se-aey7-4kdh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/3072?format=json","vulnerability_id":"VCID-6mkm-meq9-r3fc","summary":"Security researcher Holger Fuhrmannek reported that when the\nMozilla updater is run, the updater can be manipulated to load the updated files from a\nworking directory under user control in concert with junctions. When the updates are run\nby the Mozilla Maintenance Service on Windows, these malicious files can be run with\nelevated privileges and be used to replace arbitrary files on the system. This could allow\nfor arbitrary code execution by a malicious user with local system access but does not\nallow for exploitation by web content.\nThis issue is specific to Windows and does not affect Linux or OS X\nsystems.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-4505.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-4505.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-4505","reference_id":"","reference_type":"","scores":[{"value":"0.00105","scoring_system":"epss","scoring_elements":"0.28144","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00105","scoring_system":"epss","scoring_elements":"0.28123","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00105","scoring_system":"epss","scoring_elements":"0.28194","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00105","scoring_system":"epss","scoring_elements":"0.28064","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00105","scoring_system":"epss","scoring_elements":"0.28104","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00105","scoring_system":"epss","scoring_elements":"0.2806","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-4505"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1265610","reference_id":"1265610","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1265610"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4505","reference_id":"CVE-2015-4505","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4505"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-100","reference_id":"mfsa2015-100","reference_type":"","scores":[{"value":"high","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-100"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1235?format=json","purl":"pkg:mozilla/Thunderbird@38.3.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@38.3.0"}],"aliases":["CVE-2015-4505"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6mkm-meq9-r3fc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2955?format=json","vulnerability_id":"VCID-89p2-k3uk-bkhp","summary":"Security researcher Mario Gomes reported that when a previously\nloaded image on a page is drag and dropped into content after a redirect, the redirected\nURL is available to scripts. This is a violation of the  Fetch specification's defined behavior for\n\"Atomic HTTP redirect handling\" which states that redirected URLs are not exposed to any\nAPIs. This can allow for information leakage. \nIn general this flaw cannot be exploited through email in the\nThunderbird product because scripting is disabled, but is potentially a risk in\nbrowser or browser-like contexts.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-4519.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-4519.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-4519","reference_id":"","reference_type":"","scores":[{"value":"0.00436","scoring_system":"epss","scoring_elements":"0.63376","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00436","scoring_system":"epss","scoring_elements":"0.63324","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00436","scoring_system":"epss","scoring_elements":"0.63368","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00436","scoring_system":"epss","scoring_elements":"0.63369","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00436","scoring_system":"epss","scoring_elements":"0.63365","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00436","scoring_system":"epss","scoring_elements":"0.63352","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-4519"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1265778","reference_id":"1265778","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1265778"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4519","reference_id":"CVE-2015-4519","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4519"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-110","reference_id":"mfsa2015-110","reference_type":"","scores":[{"value":"none","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-110"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:1834","reference_id":"RHSA-2015:1834","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:1834"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:1852","reference_id":"RHSA-2015:1852","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:1852"},{"reference_url":"https://usn.ubuntu.com/2743-1/","reference_id":"USN-2743-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/2743-1/"},{"reference_url":"https://usn.ubuntu.com/2754-1/","reference_id":"USN-2754-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/2754-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1235?format=json","purl":"pkg:mozilla/Thunderbird@38.3.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@38.3.0"}],"aliases":["CVE-2015-4519"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-89p2-k3uk-bkhp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2971?format=json","vulnerability_id":"VCID-cf7n-mn5h-yyaq","summary":"Using the Address Sanitizer tool, security researcher Atte\nKettunen discovered a buffer overflow in the nestegg library when decoding a WebM\nformat video with maliciously formatted headers. This leads to a potentially exploitable\ncrash.\nIn general this flaw cannot be exploited through email in the\nThunderbird product because scripting is disabled, but is potentially a risk in\nbrowser or browser-like contexts.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-4511.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-4511.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-4511","reference_id":"","reference_type":"","scores":[{"value":"0.0396","scoring_system":"epss","scoring_elements":"0.88573","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0396","scoring_system":"epss","scoring_elements":"0.88591","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0396","scoring_system":"epss","scoring_elements":"0.88593","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0396","scoring_system":"epss","scoring_elements":"0.88592","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0396","scoring_system":"epss","scoring_elements":"0.88609","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-4511"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1265630","reference_id":"1265630","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1265630"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4511","reference_id":"CVE-2015-4511","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4511"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-105","reference_id":"mfsa2015-105","reference_type":"","scores":[{"value":"high","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-105"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:1834","reference_id":"RHSA-2015:1834","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:1834"},{"reference_url":"https://usn.ubuntu.com/2754-1/","reference_id":"USN-2754-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/2754-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1235?format=json","purl":"pkg:mozilla/Thunderbird@38.3.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@38.3.0"}],"aliases":["CVE-2015-4511"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cf7n-mn5h-yyaq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2966?format=json","vulnerability_id":"VCID-cwdt-7ey1-5bax","summary":"Security researcher Khalil Zhani reported that a maliciously crafted\nvp9 format video could be used to trigger a buffer overflow while parsing the file. This\nleads to a potentially exploitable crash due to a flaw in the libvpx library. \nIn general this flaw cannot be exploited through email in the\nThunderbird product because scripting is disabled, but is potentially a risk in\nbrowser or browser-like contexts.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-4506.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-4506.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-4506","reference_id":"","reference_type":"","scores":[{"value":"0.07974","scoring_system":"epss","scoring_elements":"0.92229","published_at":"2026-06-06T12:55:00Z"},{"value":"0.07974","scoring_system":"epss","scoring_elements":"0.92219","published_at":"2026-06-04T12:55:00Z"},{"value":"0.07974","scoring_system":"epss","scoring_elements":"0.92231","published_at":"2026-06-05T12:55:00Z"},{"value":"0.07974","scoring_system":"epss","scoring_elements":"0.92242","published_at":"2026-06-09T12:55:00Z"},{"value":"0.07974","scoring_system":"epss","scoring_elements":"0.92227","published_at":"2026-06-07T12:55:00Z"},{"value":"0.07974","scoring_system":"epss","scoring_elements":"0.92228","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-4506"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1265617","reference_id":"1265617","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1265617"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4506","reference_id":"CVE-2015-4506","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4506"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-101","reference_id":"mfsa2015-101","reference_type":"","scores":[{"value":"none","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-101"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:1834","reference_id":"RHSA-2015:1834","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:1834"},{"reference_url":"https://usn.ubuntu.com/2743-1/","reference_id":"USN-2743-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/2743-1/"},{"reference_url":"https://usn.ubuntu.com/2754-1/","reference_id":"USN-2754-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/2754-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1235?format=json","purl":"pkg:mozilla/Thunderbird@38.3.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@38.3.0"}],"aliases":["CVE-2015-4506"],"risk_score":0.1,"exploitability":"0.5","weighted_severity":"0.1","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cwdt-7ey1-5bax"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2929?format=json","vulnerability_id":"VCID-dcby-f84h-gbht","summary":"Security researcher Ronald Crane reported two issues in the libGLES\nportions of the ANGLE graphics library, used for WebGL and OpenGL content on Windows\nsystems. The first of these is a missing bounds check leading to memory safety errors when\nmanipulating shaders which could result in the writing to unowned memory. The second issue\nalso affects shaders when insufficient memory is allocated for a shader attribute array,\nleading to a buffer overflow. Both of these issues can lead to a potentially exploitable\ncrash.\nThese issues are specific to Windows and does not affect Linux or OS X\nsystems.\nIn general this flaw cannot be exploited through email in the\nThunderbird product because scripting is disabled, but is potentially a risk in\nbrowser or browser-like contexts.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-7178.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-7178.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-7178","reference_id":"","reference_type":"","scores":[{"value":"0.01736","scoring_system":"epss","scoring_elements":"0.82847","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01736","scoring_system":"epss","scoring_elements":"0.82822","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01736","scoring_system":"epss","scoring_elements":"0.82848","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01736","scoring_system":"epss","scoring_elements":"0.8285","published_at":"2026-06-09T12:55:00Z"},{"value":"0.01736","scoring_system":"epss","scoring_elements":"0.82845","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01736","scoring_system":"epss","scoring_elements":"0.82837","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-7178"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1265201","reference_id":"1265201","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1265201"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7178","reference_id":"CVE-2015-7178","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7178"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-113","reference_id":"mfsa2015-113","reference_type":"","scores":[{"value":"critical","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-113"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1235?format=json","purl":"pkg:mozilla/Thunderbird@38.3.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@38.3.0"}],"aliases":["CVE-2015-7178"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dcby-f84h-gbht"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2935?format=json","vulnerability_id":"VCID-qq5e-2j1p-uufm","summary":"Security researcher Ronald Crane reported eight\nvulnerabilities affecting released code that were found through code inspection. These\nincluded several potential memory safety issues resulting from the use of\nsnprintf, one use of unowned memory, one use of a string without overflow\nchecks, and five memory safety bugs. These do not all have clear mechanisms to be\nexploited through web content but are vulnerable if a mechanism can be found to trigger\nthem.\nIn general this flaw cannot be exploited through email in the\nThunderbird product because scripting is disabled, but is potentially a risk in\nbrowser or browser-like contexts.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-4517.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-4517.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-4517","reference_id":"","reference_type":"","scores":[{"value":"0.03205","scoring_system":"epss","scoring_elements":"0.87268","published_at":"2026-06-06T12:55:00Z"},{"value":"0.03205","scoring_system":"epss","scoring_elements":"0.87248","published_at":"2026-06-04T12:55:00Z"},{"value":"0.03205","scoring_system":"epss","scoring_elements":"0.87271","published_at":"2026-06-05T12:55:00Z"},{"value":"0.03205","scoring_system":"epss","scoring_elements":"0.87275","published_at":"2026-06-09T12:55:00Z"},{"value":"0.03205","scoring_system":"epss","scoring_elements":"0.87266","published_at":"2026-06-07T12:55:00Z"},{"value":"0.03205","scoring_system":"epss","scoring_elements":"0.87263","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-4517"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1265784","reference_id":"1265784","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1265784"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4517","reference_id":"CVE-2015-4517","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4517"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-112","reference_id":"mfsa2015-112","reference_type":"","scores":[{"value":"high","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-112"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:1834","reference_id":"RHSA-2015:1834","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:1834"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:1852","reference_id":"RHSA-2015:1852","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:1852"},{"reference_url":"https://usn.ubuntu.com/2743-1/","reference_id":"USN-2743-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/2743-1/"},{"reference_url":"https://usn.ubuntu.com/2754-1/","reference_id":"USN-2754-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/2754-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1235?format=json","purl":"pkg:mozilla/Thunderbird@38.3.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@38.3.0"}],"aliases":["CVE-2015-4517"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qq5e-2j1p-uufm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2932?format=json","vulnerability_id":"VCID-qq9w-dr8s-rbc1","summary":"Mozilla developers and community identified and fixed several memory safety\nbugs in the browser engine used in Firefox and other Mozilla-based products.\nSome of these bugs showed evidence of memory corruption under certain\ncircumstances, and we presume that with enough effort at least some of these\ncould be exploited to run arbitrary code.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-4500.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-4500.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-4500","reference_id":"","reference_type":"","scores":[{"value":"0.03173","scoring_system":"epss","scoring_elements":"0.872","published_at":"2026-06-06T12:55:00Z"},{"value":"0.03173","scoring_system":"epss","scoring_elements":"0.8718","published_at":"2026-06-04T12:55:00Z"},{"value":"0.03173","scoring_system":"epss","scoring_elements":"0.87203","published_at":"2026-06-05T12:55:00Z"},{"value":"0.03173","scoring_system":"epss","scoring_elements":"0.87205","published_at":"2026-06-09T12:55:00Z"},{"value":"0.03173","scoring_system":"epss","scoring_elements":"0.87197","published_at":"2026-06-07T12:55:00Z"},{"value":"0.03173","scoring_system":"epss","scoring_elements":"0.87194","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-4500"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1265186","reference_id":"1265186","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1265186"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4500","reference_id":"CVE-2015-4500","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4500"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-96","reference_id":"mfsa2015-96","reference_type":"","scores":[{"value":"critical","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-96"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:1834","reference_id":"RHSA-2015:1834","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:1834"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:1852","reference_id":"RHSA-2015:1852","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:1852"},{"reference_url":"https://usn.ubuntu.com/2743-1/","reference_id":"USN-2743-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/2743-1/"},{"reference_url":"https://usn.ubuntu.com/2754-1/","reference_id":"USN-2754-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/2754-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1235?format=json","purl":"pkg:mozilla/Thunderbird@38.3.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@38.3.0"}],"aliases":["CVE-2015-4500"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qq9w-dr8s-rbc1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/3036?format=json","vulnerability_id":"VCID-s42a-965d-buf6","summary":"An anonymous researcher reported, via HP's Zero Day Initiative, a use-after-free\nvulnerability with HTML media elements on a page during script manipulation of the URI\ntable of these elements. This results in a potentially exploitable crash.\nIn general this flaw cannot be exploited through email in the\nThunderbird product because scripting is disabled, but is potentially a risk in\nbrowser or browser-like contexts.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-4509.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-4509.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-4509","reference_id":"","reference_type":"","scores":[{"value":"0.04937","scoring_system":"epss","scoring_elements":"0.89807","published_at":"2026-06-04T12:55:00Z"},{"value":"0.04937","scoring_system":"epss","scoring_elements":"0.89823","published_at":"2026-06-05T12:55:00Z"},{"value":"0.04937","scoring_system":"epss","scoring_elements":"0.89824","published_at":"2026-06-06T12:55:00Z"},{"value":"0.04937","scoring_system":"epss","scoring_elements":"0.89822","published_at":"2026-06-08T12:55:00Z"},{"value":"0.04937","scoring_system":"epss","scoring_elements":"0.89838","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-4509"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1265192","reference_id":"1265192","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1265192"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4509","reference_id":"CVE-2015-4509","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4509"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-106","reference_id":"mfsa2015-106","reference_type":"","scores":[{"value":"critical","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2015-106"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:1834","reference_id":"RHSA-2015:1834","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:1834"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:1852","reference_id":"RHSA-2015:1852","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:1852"},{"reference_url":"https://usn.ubuntu.com/2743-1/","reference_id":"USN-2743-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/2743-1/"},{"reference_url":"https://usn.ubuntu.com/2754-1/","reference_id":"USN-2754-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/2754-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1235?format=json","purl":"pkg:mozilla/Thunderbird@38.3.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@38.3.0"}],"aliases":["CVE-2015-4509"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s42a-965d-buf6"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@38.3.0"}