{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2686?format=json","vulnerability_id":"VCID-eb9z-2ahu-bff8","summary":"Mozilla security researcher moz_bug_r_a4 reported\nthat it is possible to create a document whose URI does not match the\ndocument's principal using XMLHttpRequest.  This type of\nmismatch leads to incorrect results in principal-based security\nchecks.  An attacker could use this vulnerability to execute arbitrary\nJavaScript within the context of another site.moz_bug_r_a4 separately reported\nthat XPCNativeWrapper.toString's\n__proto__ comes from the wrong scope which results in\ncalls to that function being executed in the wrong context in certain\ncircumstances.  An attacker could use this vulnerability to run\narbitrary code within the context of a different site.  Alternatively,\nif chrome were to call content.toString.call(), then\nattacker-defined functions could be run with chrome privileges.Thunderbird shares the browser engine with Firefox and\ncould be vulnerable if JavaScript were to be enabled in mail. This is\nnot the default setting and we strongly discourage users from running\nJavaScript in mail.","aliases":[{"alias":"CVE-2009-1309"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1113?format=json","purl":"pkg:mozilla/Firefox@3.0.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.0.9"}],"affected_packages":[],"references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1309","reference_id":"CVE-2009-1309","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1309"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2009-19","reference_id":"mfsa2009-19","reference_type":"","scores":[{"value":"high","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2009-19"}],"weaknesses":[],"exploits":[],"severity_range_score":"7.0 - 8.9","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-eb9z-2ahu-bff8"}