{"url":"http://public2.vulnerablecode.io/api/packages/896?format=json","purl":"pkg:mozilla/Thunderbird@38.7.0","type":"mozilla","namespace":"","name":"Thunderbird","version":"38.7.0","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"38.8.0","latest_non_vulnerable_version":"151.0.0","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/1935?format=json","vulnerability_id":"VCID-1bx2-4ka7-w3cr","summary":"The CESG, the Information Security Arm of GCHQ, reported a dangling\npointer dereference within the Netscape Plugin Application Programming Interface (NPAPI)\nthat could lead to the NPAPI subsystem crashing. This issue requires a maliciously crafted\nNPAPI plugin in concert with scripted web content, resulting in a potentially exploitable\ncrash when triggered.\nIn general this flaw cannot be exploited through email in the\nThunderbird product because scripting is disabled, but is potentially a risk in\nbrowser or browser-like contexts.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1966","reference_id":"CVE-2016-1966","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1966"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-31","reference_id":"mfsa2016-31","reference_type":"","scores":[{"value":"high","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-31"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/896?format=json","purl":"pkg:mozilla/Thunderbird@38.7.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@38.7.0"}],"aliases":["CVE-2016-1966"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1bx2-4ka7-w3cr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/1891?format=json","vulnerability_id":"VCID-2pb1-uy1v-vuf1","summary":"Mozilla developers fixed several memory safety bugs in the browser engine used in\nFirefox and other Mozilla-based products. Some of these bugs showed evidence of memory\ncorruption under certain circumstances, and we presume that with enough effort at least\nsome of these could be exploited to run arbitrary code.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1952","reference_id":"CVE-2016-1952","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1952"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-16","reference_id":"mfsa2016-16","reference_type":"","scores":[{"value":"critical","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-16"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/896?format=json","purl":"pkg:mozilla/Thunderbird@38.7.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@38.7.0"},{"url":"http://public2.vulnerablecode.io/api/packages/895?format=json","purl":"pkg:mozilla/Thunderbird@45.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@45.0.0"}],"aliases":["CVE-2016-1952"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2pb1-uy1v-vuf1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/1903?format=json","vulnerability_id":"VCID-4hgx-k5jn-ckeu","summary":"Security researcher Holger Fuhrmannek and Mozilla security engineer\nTyson Smith reported a number of security vulnerabilities in the Graphite\n2 library affecting version 1.3.5.\nThe issue reported by Holger Fuhrmannek is a mechanism to induce\nstack corruption with a malicious graphite font. This leads to a potentially exploitable\ncrash when the font is loaded.\nTyson Smith used the Address Sanitizer tool in concert with a custom\nsoftware fuzzer to find a series of uninitialized memory, out-of-bounds read, and\nout-of-bounds write errors when working with fuzzed graphite fonts. \n\nTo address these security vulnerabilities, Firefox 45 and Firefox ESR 38.7 have been\nupdated to Graphite 2 version 1.3.6.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1977","reference_id":"CVE-2016-1977","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1977"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-37","reference_id":"mfsa2016-37","reference_type":"","scores":[{"value":"critical","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-37"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/896?format=json","purl":"pkg:mozilla/Thunderbird@38.7.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@38.7.0"},{"url":"http://public2.vulnerablecode.io/api/packages/895?format=json","purl":"pkg:mozilla/Thunderbird@45.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@45.0.0"}],"aliases":["CVE-2016-1977"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4hgx-k5jn-ckeu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/1959?format=json","vulnerability_id":"VCID-9wc3-cjef-3ucq","summary":"Security researcher Francis Gabriel of Quarkslab reported a heap-based\nbuffer overflow in the way the Network Security Services (NSS) libraries parsed certain\nASN.1 structures. An attacker could create a specially-crafted certificate which, when\nparsed by NSS, would cause it to crash or execute arbitrary code with the permissions of\nthe user.\nThis issue has been addressed in the NSS releases shipping on affected Mozilla\nproducts:","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950","reference_id":"CVE-2016-1950","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-35","reference_id":"mfsa2016-35","reference_type":"","scores":[{"value":"critical","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-35"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/896?format=json","purl":"pkg:mozilla/Thunderbird@38.7.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@38.7.0"},{"url":"http://public2.vulnerablecode.io/api/packages/895?format=json","purl":"pkg:mozilla/Thunderbird@45.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@45.0.0"}],"aliases":["CVE-2016-1950"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9wc3-cjef-3ucq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/1917?format=json","vulnerability_id":"VCID-b1zu-35mw-jkdg","summary":"Security researchers Jose Martinez and Romina\nSantillan reported a memory leak in the libstagefright library when array\ndestruction occurs during MPEG4 video file processing.\nIn general this flaw cannot be exploited through email in the\nThunderbird product because scripting is disabled, but is potentially a risk in\nbrowser or browser-like contexts.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1957","reference_id":"CVE-2016-1957","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1957"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-20","reference_id":"mfsa2016-20","reference_type":"","scores":[{"value":"low","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-20"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/896?format=json","purl":"pkg:mozilla/Thunderbird@38.7.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@38.7.0"},{"url":"http://public2.vulnerablecode.io/api/packages/895?format=json","purl":"pkg:mozilla/Thunderbird@45.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@45.0.0"}],"aliases":["CVE-2016-1957"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-b1zu-35mw-jkdg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/1973?format=json","vulnerability_id":"VCID-cr9v-b95v-eyha","summary":"Security researcher Ronald Crane reported an out-of-bounds read\nfollowing a failed allocation in the HTML parser while working with unicode strings. This\ncan also affect the parsing of XML and SVG format data. This leads to a potentially\nexploitable crash. \nIn general this flaw cannot be exploited through email in the\nThunderbird product because scripting is disabled, but is potentially a risk in\nbrowser or browser-like contexts.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1974","reference_id":"CVE-2016-1974","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1974"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-34","reference_id":"mfsa2016-34","reference_type":"","scores":[{"value":"high","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-34"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/896?format=json","purl":"pkg:mozilla/Thunderbird@38.7.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@38.7.0"},{"url":"http://public2.vulnerablecode.io/api/packages/895?format=json","purl":"pkg:mozilla/Thunderbird@45.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@45.0.0"}],"aliases":["CVE-2016-1974"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cr9v-b95v-eyha"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/1899?format=json","vulnerability_id":"VCID-dhjd-31cm-1fh6","summary":"Security researcher ca0nguyen, working with HP's Zero Day Initiative,\nreported a use-after-free issue in the HTML5 string parser when parsing a particular set\nof table-related tags in a foreign fragment context such as SVG. This results in a\npotentially exploitable crash.\nIn general this flaw cannot be exploited through email in the\nThunderbird product because scripting is disabled, but is potentially a risk in\nbrowser or browser-like contexts.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1960","reference_id":"CVE-2016-1960","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1960"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-23","reference_id":"mfsa2016-23","reference_type":"","scores":[{"value":"critical","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-23"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/896?format=json","purl":"pkg:mozilla/Thunderbird@38.7.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@38.7.0"},{"url":"http://public2.vulnerablecode.io/api/packages/895?format=json","purl":"pkg:mozilla/Thunderbird@45.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@45.0.0"}],"aliases":["CVE-2016-1960"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dhjd-31cm-1fh6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/1872?format=json","vulnerability_id":"VCID-dxam-cewh-63dt","summary":"Security researcher Nicolas Golubovic reported that a malicious page\ncan overwrite files on the user's machine using Content Security Policy (CSP) violation\nreports. The file contents are restricted to the JSON format of the report. In many cases\noverwriting a local file may simply be destructive, breaking the functionality of that\nfile. The CSP error reports can include HTML fragments which could be rendered by\nbrowsers. If a user has disabled add-on signing and has installed an \"unpacked\" add-on, a\nmalicious page could overwrite one of the add-on resources. Depending on how this resource\nis used, this could lead to privilege escalation.\nIn general this flaw cannot be exploited through email in the\nThunderbird product because scripting is disabled, but is potentially a risk in\nbrowser or browser-like contexts.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1954","reference_id":"CVE-2016-1954","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1954"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-17","reference_id":"mfsa2016-17","reference_type":"","scores":[{"value":"high","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-17"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/896?format=json","purl":"pkg:mozilla/Thunderbird@38.7.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@38.7.0"},{"url":"http://public2.vulnerablecode.io/api/packages/895?format=json","purl":"pkg:mozilla/Thunderbird@45.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@45.0.0"}],"aliases":["CVE-2016-1954"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dxam-cewh-63dt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/1950?format=json","vulnerability_id":"VCID-jr76-2aht-uqb2","summary":"Security researcher lokihardt, working with HP's Zero Day Initiative,\nreported a use-after-free issue in the SetBody function of\nHTMLDocument. This results in a potentially exploitable crash.\nIn general this flaw cannot be exploited through email in the\nThunderbird product because scripting is disabled, but is potentially a risk in\nbrowser or browser-like contexts.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1961","reference_id":"CVE-2016-1961","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1961"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-24","reference_id":"mfsa2016-24","reference_type":"","scores":[{"value":"critical","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-24"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/896?format=json","purl":"pkg:mozilla/Thunderbird@38.7.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@38.7.0"},{"url":"http://public2.vulnerablecode.io/api/packages/895?format=json","purl":"pkg:mozilla/Thunderbird@45.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@45.0.0"}],"aliases":["CVE-2016-1961"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jr76-2aht-uqb2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/1868?format=json","vulnerability_id":"VCID-mxj9-cgmx-zkg9","summary":"Security researcher Nicolas Grégoire used the Address Sanitizer to\nfind a use-after-free during XML transformation operations. This results in a potentially\nexploitable crash triggerable by web content.\nIn general this flaw cannot be exploited through email in the\nThunderbird product because scripting is disabled, but is potentially a risk in\nbrowser or browser-like contexts.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1964","reference_id":"CVE-2016-1964","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1964"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-27","reference_id":"mfsa2016-27","reference_type":"","scores":[{"value":"critical","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-27"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/896?format=json","purl":"pkg:mozilla/Thunderbird@38.7.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@38.7.0"},{"url":"http://public2.vulnerablecode.io/api/packages/895?format=json","purl":"pkg:mozilla/Thunderbird@45.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@45.0.0"}],"aliases":["CVE-2016-1964"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mxj9-cgmx-zkg9"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@38.7.0"}