Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/63635?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/63635?format=api", "vulnerability_id": "VCID-dbre-65bp-xbf1", "summary": "Security researcher Fabián Cuchietti discovered that\nit was possible to bypass the restriction on JavaScript execution in mail by\nembedding an <iframe> with a data: URL within a message. If the victim\nreplied or forwarded the mail after receiving it, quoting it \"in-line\"\nusing Thunderbird's HTML mail editor, it would run the attached script. The\nrunning script would be restricted to the mail composition window where it could\nobserve and potentially modify the content of the mail before it was sent.\nScripts were not executed if the recipient merely viewed the mail, only if it\nwas edited as HTML. Turning off HTML composition prevented the vulnerability and\nforwarding the mail \"as attachment\" prevented the forwarding\nvariant.Ateeq ur Rehman Khan of Vulnerability Labs reported\nadditional variants of this attack involving the use of the <object> tag\nand which could be used to attach object data types such as images, audio, or\nvideo.This affected the Thunderbird 17 branch. It was fixed in all\nversions based on Gecko 23 or later. Thunderbird 24 and later are not affected\nby this vulnerability.", "aliases": [ { "alias": "CVE-2013-6674" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/86764?format=api", "purl": "pkg:mozilla/SeaMonkey@2.20.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/SeaMonkey@2.20.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/86763?format=api", "purl": "pkg:mozilla/Thunderbird@23.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@23.0.0" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/122908?format=api", "purl": "pkg:rpm/redhat/thunderbird@24.2.0-1?arch=el6_5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-62px-695g-57bk" }, { "vulnerability": "VCID-69g6-8d1a-kubz" }, { "vulnerability": "VCID-b2k8-kjmq-1kh4" }, { "vulnerability": "VCID-db94-kcvc-zybp" }, { "vulnerability": "VCID-dbre-65bp-xbf1" }, { "vulnerability": "VCID-gsx1-3jjx-nqan" }, { "vulnerability": "VCID-t5xp-1qqf-cfht" }, { "vulnerability": "VCID-vg9h-jcc1-9qeg" }, { "vulnerability": "VCID-vhq8-wmxx-wqgt" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/thunderbird@24.2.0-1%3Farch=el6_5" }, { "url": "http://public2.vulnerablecode.io/api/packages/122909?format=api", "purl": "pkg:rpm/redhat/thunderbird@24.2.0-2?arch=el5_10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-62px-695g-57bk" }, { "vulnerability": "VCID-69g6-8d1a-kubz" }, { "vulnerability": "VCID-b2k8-kjmq-1kh4" }, { "vulnerability": "VCID-db94-kcvc-zybp" }, { "vulnerability": "VCID-dbre-65bp-xbf1" }, { "vulnerability": "VCID-gsx1-3jjx-nqan" }, { "vulnerability": "VCID-t5xp-1qqf-cfht" }, { "vulnerability": "VCID-vg9h-jcc1-9qeg" }, { "vulnerability": "VCID-vhq8-wmxx-wqgt" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/thunderbird@24.2.0-2%3Farch=el5_10" } ], "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-6674.json", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-6674.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2013-6674", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.47529", "scoring_system": "epss", "scoring_elements": "0.97736", "published_at": "2026-05-14T12:55:00Z" }, { "value": "0.47529", "scoring_system": "epss", "scoring_elements": "0.9768", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.47529", "scoring_system": "epss", "scoring_elements": "0.97687", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.47529", "scoring_system": "epss", "scoring_elements": "0.97688", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.47529", "scoring_system": "epss", "scoring_elements": "0.97693", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.47529", "scoring_system": "epss", "scoring_elements": "0.97696", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.47529", "scoring_system": "epss", "scoring_elements": "0.97698", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.47529", "scoring_system": "epss", "scoring_elements": "0.97701", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.47529", "scoring_system": "epss", "scoring_elements": "0.97702", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.47529", "scoring_system": "epss", "scoring_elements": "0.97708", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.47529", "scoring_system": "epss", "scoring_elements": "0.97711", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.47529", "scoring_system": "epss", "scoring_elements": "0.97712", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.47529", "scoring_system": "epss", "scoring_elements": "0.97717", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.47529", "scoring_system": "epss", "scoring_elements": "0.9772", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.47529", "scoring_system": "epss", "scoring_elements": "0.97722", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.47529", "scoring_system": "epss", "scoring_elements": "0.97724", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.47529", "scoring_system": "epss", "scoring_elements": "0.97723", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.47529", "scoring_system": "epss", "scoring_elements": "0.97728", "published_at": "2026-05-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2013-6674" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1063120", "reference_id": "1063120", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1063120" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6674", "reference_id": "CVE-2013-6674", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6674" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/dos/31223.txt", "reference_id": "CVE-2013-6674;OSVDB-102566", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/dos/31223.txt" }, { "reference_url": "https://www.vulnerability-lab.com/get_content.php?id=953", "reference_id": "CVE-2013-6674;OSVDB-102566", "reference_type": "exploit", "scores": [], "url": "https://www.vulnerability-lab.com/get_content.php?id=953" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2014-14", "reference_id": "mfsa2014-14", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2014-14" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2013:1823", "reference_id": "RHSA-2013:1823", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2013:1823" }, { "reference_url": "https://usn.ubuntu.com/2119-1/", "reference_id": "USN-2119-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/2119-1/" } ], "weaknesses": [], "exploits": [ { "date_added": "2014-01-27", "description": "Mozilla Thunderbird 17.0.6 - Input Validation Filter Bypass", "required_action": null, "due_date": null, "notes": null, "known_ransomware_campaign_use": false, "source_date_published": "2014-01-27", "exploit_type": "dos", "platform": "multiple", "source_date_updated": "2014-01-27", "data_source": "Exploit-DB", "source_url": "https://www.vulnerability-lab.com/get_content.php?id=953" } ], "severity_range_score": "7.0 - 8.9", "exploitability": "2.0", "weighted_severity": "8.0", "risk_score": 10.0, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dbre-65bp-xbf1" }