{"url":"http://public2.vulnerablecode.io/api/packages/185778?format=json","purl":"pkg:rpm/redhat/xulrunner@1.9.0.6-1?arch=el5","type":"rpm","namespace":"redhat","name":"xulrunner","version":"1.9.0.6-1","qualifiers":{"arch":"el5"},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2649?format=json","vulnerability_id":"VCID-3f78-n439-6fhs","summary":"","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0353.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0353.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-0353","reference_id":"","reference_type":"","scores":[{"value":"0.0678","scoring_system":"epss","scoring_elements":"0.91471","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0678","scoring_system":"epss","scoring_elements":"0.91485","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0678","scoring_system":"epss","scoring_elements":"0.91487","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0678","scoring_system":"epss","scoring_elements":"0.91484","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-0353"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=483141","reference_id":"483141","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=483141"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0353","reference_id":"CVE-2009-0353","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0353"},{"reference_url":"https://security.gentoo.org/glsa/201301-01","reference_id":"GLSA-201301-01","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201301-01"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2009-01","reference_id":"mfsa2009-01","reference_type":"","scores":[{"value":"critical","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2009-01"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:0256","reference_id":"RHSA-2009:0256","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:0256"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:0257","reference_id":"RHSA-2009:0257","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:0257"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:0258","reference_id":"RHSA-2009:0258","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:0258"},{"reference_url":"https://usn.ubuntu.com/717-1/","reference_id":"USN-717-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/717-1/"}],"fixed_packages":[],"aliases":["CVE-2009-0353"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3f78-n439-6fhs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2658?format=json","vulnerability_id":"VCID-4bk3-p2fq-6uhf","summary":"Mozilla security researcher Georgi Guninski reported\nthat the fix for an earlier vulnerability reported by Liu Die Yu using local\ninternet shortcut files to access other sites\n(MFSA 2008-47) could be bypassed\nby redirecting to a privileged about: URI such as\nabout:plugins.\nIf an attacker could get a victim to\ndownload two files, a malicious HTML file and a .desktop shortcut\nfile, they could have the HTML document load a privileged chrome document\nvia the shortcut and both documents would be treated as same origin.\nThis vulnerability could potentially be used by an attacker to inject\narbitrary code into the chrome document and execute with chrome\nprivileges.  Because this attack has relatively high complexity, the\nseverity of this issue was determined to be moderate.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0356.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0356.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-0356","reference_id":"","reference_type":"","scores":[{"value":"0.00909","scoring_system":"epss","scoring_elements":"0.76176","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00909","scoring_system":"epss","scoring_elements":"0.76201","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00909","scoring_system":"epss","scoring_elements":"0.76203","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00909","scoring_system":"epss","scoring_elements":"0.76196","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-0356"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=483144","reference_id":"483144","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=483144"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0356","reference_id":"CVE-2009-0356","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0356"},{"reference_url":"https://security.gentoo.org/glsa/201301-01","reference_id":"GLSA-201301-01","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201301-01"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2009-04","reference_id":"mfsa2009-04","reference_type":"","scores":[{"value":"none","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2009-04"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:0256","reference_id":"RHSA-2009:0256","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:0256"}],"fixed_packages":[],"aliases":["CVE-2009-0356"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4bk3-p2fq-6uhf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2648?format=json","vulnerability_id":"VCID-57sy-21d1-pyew","summary":"","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0352.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0352.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-0352","reference_id":"","reference_type":"","scores":[{"value":"0.08533","scoring_system":"epss","scoring_elements":"0.9253","published_at":"2026-06-04T12:55:00Z"},{"value":"0.08533","scoring_system":"epss","scoring_elements":"0.92543","published_at":"2026-06-05T12:55:00Z"},{"value":"0.08533","scoring_system":"epss","scoring_elements":"0.92539","published_at":"2026-06-06T12:55:00Z"},{"value":"0.08533","scoring_system":"epss","scoring_elements":"0.92534","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-0352"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=483139","reference_id":"483139","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=483139"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0352","reference_id":"CVE-2009-0352","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0352"},{"reference_url":"https://security.gentoo.org/glsa/201301-01","reference_id":"GLSA-201301-01","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201301-01"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2009-01","reference_id":"mfsa2009-01","reference_type":"","scores":[{"value":"critical","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2009-01"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:0256","reference_id":"RHSA-2009:0256","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:0256"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:0257","reference_id":"RHSA-2009:0257","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:0257"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:0258","reference_id":"RHSA-2009:0258","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:0258"},{"reference_url":"https://usn.ubuntu.com/717-1/","reference_id":"USN-717-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/717-1/"},{"reference_url":"https://usn.ubuntu.com/741-1/","reference_id":"USN-741-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/741-1/"}],"fixed_packages":[],"aliases":["CVE-2009-0352"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-57sy-21d1-pyew"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2612?format=json","vulnerability_id":"VCID-by67-ztwk-8kh3","summary":"Mozilla security researcher moz_bug_r_a4 reported that\na form input control's type could be changed during the restoration of a\nclosed tab. An attacker could set an input control's text value to the\npath of a local file whose location was known to the attacker. If the tab\nwas then closed and the victim persuaded to re-open it, upon restoring the\ntab the attacker could use this vulnerability to change the input type to\nfile. Scripts in the page could then automatically submit\nthe form and steal the contents of the user's local file.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0355.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0355.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-0355","reference_id":"","reference_type":"","scores":[{"value":"0.02431","scoring_system":"epss","scoring_elements":"0.85428","published_at":"2026-06-04T12:55:00Z"},{"value":"0.02431","scoring_system":"epss","scoring_elements":"0.85451","published_at":"2026-06-07T12:55:00Z"},{"value":"0.02431","scoring_system":"epss","scoring_elements":"0.85456","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-0355"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=483143","reference_id":"483143","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=483143"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0355","reference_id":"CVE-2009-0355","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0355"},{"reference_url":"https://security.gentoo.org/glsa/201301-01","reference_id":"GLSA-201301-01","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201301-01"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2009-03","reference_id":"mfsa2009-03","reference_type":"","scores":[{"value":"high","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2009-03"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:0256","reference_id":"RHSA-2009:0256","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:0256"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:0257","reference_id":"RHSA-2009:0257","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:0257"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:0258","reference_id":"RHSA-2009:0258","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:0258"},{"reference_url":"https://usn.ubuntu.com/717-1/","reference_id":"USN-717-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/717-1/"},{"reference_url":"https://usn.ubuntu.com/717-2/","reference_id":"USN-717-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/717-2/"}],"fixed_packages":[],"aliases":["CVE-2009-0355"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-by67-ztwk-8kh3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2625?format=json","vulnerability_id":"VCID-cdy6-72f7-s7g5","summary":"Developer and Mozilla community member Wladimir Palant\nreported that cookies marked HTTPOnly were readable by JavaScript via\nthe XMLHttpRequest.getResponseHeader and \nXMLHttpRequest.getAllResponseHeaders APIs.  This vulnerability\nbypasses the security mechanism provided by the HTTPOnly flag which\nintends to restrict JavaScript access to document.cookie.The fix prevents the XMLHttpRequest feature from accessing the\nSet-Cookie and Set-Cookie2 headers of any response\nwhether or not the HTTPOnly flag was set for those cookies.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0357.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0357.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-0357","reference_id":"","reference_type":"","scores":[{"value":"0.0108","scoring_system":"epss","scoring_elements":"0.78189","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0108","scoring_system":"epss","scoring_elements":"0.78215","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0108","scoring_system":"epss","scoring_elements":"0.78222","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0108","scoring_system":"epss","scoring_elements":"0.78212","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-0357"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=483145","reference_id":"483145","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=483145"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0357","reference_id":"CVE-2009-0357","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0357"},{"reference_url":"https://security.gentoo.org/glsa/201301-01","reference_id":"GLSA-201301-01","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201301-01"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2009-05","reference_id":"mfsa2009-05","reference_type":"","scores":[{"value":"low","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2009-05"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:0256","reference_id":"RHSA-2009:0256","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:0256"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:0257","reference_id":"RHSA-2009:0257","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:0257"},{"reference_url":"https://usn.ubuntu.com/717-1/","reference_id":"USN-717-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/717-1/"},{"reference_url":"https://usn.ubuntu.com/717-2/","reference_id":"USN-717-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/717-2/"},{"reference_url":"https://usn.ubuntu.com/717-3/","reference_id":"USN-717-3","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/717-3/"}],"fixed_packages":[],"aliases":["CVE-2009-0357"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cdy6-72f7-s7g5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2684?format=json","vulnerability_id":"VCID-hgvh-r793-d7e1","summary":"Paul Nel reported that certain HTTP directives to\nnot cache web pages, Cache-Control: no-store and Cache-Control:\nno-cache for HTTPS pages, were being ignored by Firefox 3.  On a\nshared system, applications relying upon these HTTP directives could\npotentially expose private data.  Another user on the system could use\nthis vulnerability to view improperly cached pages containing private\ndata by navigating the browser back.Firefox 2 releases are not affected.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0358.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0358.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-0358","reference_id":"","reference_type":"","scores":[{"value":"0.00192","scoring_system":"epss","scoring_elements":"0.4096","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00192","scoring_system":"epss","scoring_elements":"0.41036","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00192","scoring_system":"epss","scoring_elements":"0.41041","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00192","scoring_system":"epss","scoring_elements":"0.41009","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-0358"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=483150","reference_id":"483150","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=483150"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0358","reference_id":"CVE-2009-0358","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0358"},{"reference_url":"https://security.gentoo.org/glsa/201301-01","reference_id":"GLSA-201301-01","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201301-01"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2009-06","reference_id":"mfsa2009-06","reference_type":"","scores":[{"value":"low","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2009-06"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:0256","reference_id":"RHSA-2009:0256","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:0256"},{"reference_url":"https://usn.ubuntu.com/717-1/","reference_id":"USN-717-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/717-1/"}],"fixed_packages":[],"aliases":["CVE-2009-0358"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hgvh-r793-d7e1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2600?format=json","vulnerability_id":"VCID-jhrk-vntt-yqd7","summary":"Mozilla security researcher moz_bug_r_a4 reported\nthat a chrome XBL method can be used in conjunction\nwith window.eval to execute arbitrary JavaScript within\nthe context of another website, violating the same origin policy.Firefox 2 releases are not affected.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0354.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0354.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-0354","reference_id":"","reference_type":"","scores":[{"value":"0.00789","scoring_system":"epss","scoring_elements":"0.74222","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00789","scoring_system":"epss","scoring_elements":"0.74255","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00789","scoring_system":"epss","scoring_elements":"0.74259","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00789","scoring_system":"epss","scoring_elements":"0.74246","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-0354"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=483142","reference_id":"483142","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=483142"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0354","reference_id":"CVE-2009-0354","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0354"},{"reference_url":"https://security.gentoo.org/glsa/201301-01","reference_id":"GLSA-201301-01","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201301-01"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2009-02","reference_id":"mfsa2009-02","reference_type":"","scores":[{"value":"high","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2009-02"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:0256","reference_id":"RHSA-2009:0256","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:0256"},{"reference_url":"https://usn.ubuntu.com/717-1/","reference_id":"USN-717-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/717-1/"}],"fixed_packages":[],"aliases":["CVE-2009-0354"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jhrk-vntt-yqd7"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/xulrunner@1.9.0.6-1%3Farch=el5"}