{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/1517?format=json","vulnerability_id":"VCID-butm-m2gx-5fhg","summary":"The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker.","aliases":[{"alias":"CVE-2018-5158"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1783?format=json","purl":"pkg:alpm/archlinux/firefox@60.0-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/firefox@60.0-1"},{"url":"http://public2.vulnerablecode.io/api/packages/55807?format=json","purl":"pkg:npm/pdfjs-dist@1.10.100","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/pdfjs-dist@1.10.100"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1782?format=json","purl":"pkg:alpm/archlinux/firefox@59.0.2-3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1557-g5c6-6qfd"},{"vulnerability":"VCID-2zj9-v7vs-3uaa"},{"vulnerability":"VCID-3bxm-7dgr-pucg"},{"vulnerability":"VCID-4eq6-4c8r-qkg2"},{"vulnerability":"VCID-6yxx-4qbq-47cr"},{"vulnerability":"VCID-73ma-r4r5-4qa3"},{"vulnerability":"VCID-7kbu-ee1d-2kg4"},{"vulnerability":"VCID-7ngg-49bu-qkgb"},{"vulnerability":"VCID-9jh8-4rtu-7bcw"},{"vulnerability":"VCID-ax9b-784y-5ker"},{"vulnerability":"VCID-butm-m2gx-5fhg"},{"vulnerability":"VCID-ea3n-d33u-gyba"},{"vulnerability":"VCID-ehc9-yy69-87bf"},{"vulnerability":"VCID-hs3m-748h-eudc"},{"vulnerability":"VCID-k5a8-v536-bkft"},{"vulnerability":"VCID-knvr-bzxc-afa3"},{"vulnerability":"VCID-p2ha-eytr-n7es"},{"vulnerability":"VCID-qhwr-p7yp-1bc1"},{"vulnerability":"VCID-rppr-dqct-p7ft"},{"vulnerability":"VCID-s4fm-7715-yqa1"},{"vulnerability":"VCID-shqb-afj8-vuev"},{"vulnerability":"VCID-v41y-gerf-hkgd"},{"vulnerability":"VCID-wrsb-a236-d7ae"},{"vulnerability":"VCID-wz54-3pue-5kde"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/firefox@59.0.2-3"}],"references":[{"reference_url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1452075","reference_id":"","reference_type":"","scores":[],"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1452075"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5158","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5158"},{"reference_url":"https://security.archlinux.org/ASA-201805-10","reference_id":"ASA-201805-10","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-201805-10"},{"reference_url":"https://security.archlinux.org/AVG-693","reference_id":"AVG-693","reference_type":"","scores":[{"value":"Critical","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-693"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2018-11","reference_id":"mfsa2018-11","reference_type":"","scores":[{"value":"critical","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2018-11"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2018-12","reference_id":"mfsa2018-12","reference_type":"","scores":[{"value":"critical","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2018-12"}],"weaknesses":[{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":94,"name":"Improper Control of Generation of Code ('Code Injection')","description":"The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment."}],"exploits":[],"severity_range_score":"9.0 - 10.0","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-butm-m2gx-5fhg"}