Lucene search

MozillaCVE-2013-1687

HistoryJun 26, 2013 - 3:19 a.m.

CVE-2013-1687

2013-06-2603:19:10

CWE-264

mozilla

web.nvd.nist.gov

cve-2013-1687

mozilla firefox

xbl

user-defined functions

restriction bypass

javascript

cross-site scripting

xss

security vulnerability

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

AI Score

6.4

Confidence

High

EPSS

0.007

Percentile

80.4%

JSON

The System Only Wrapper (SOW) and Chrome Object Wrapper (COW) implementations in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not properly restrict XBL user-defined functions, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges, or conduct cross-site scripting (XSS) attacks, via a crafted web site.

Affected configurations

Nvd

Node

mozillafirefoxRange≤21.0

mozillafirefoxMatch19.0

mozillafirefoxMatch19.0.1

mozillafirefoxMatch19.0.2

mozillafirefoxMatch20.0

mozillafirefoxMatch20.0.1

Node

mozillafirefox_esrMatch17.0

mozillafirefox_esrMatch17.0.1

mozillafirefox_esrMatch17.0.2

mozillafirefox_esrMatch17.0.3

mozillafirefox_esrMatch17.0.4

mozillafirefox_esrMatch17.0.5

mozillafirefox_esrMatch17.0.6

Node

mozillathunderbirdRange≤17.0.6

mozillathunderbirdMatch17.0

mozillathunderbirdMatch17.0.1

mozillathunderbirdMatch17.0.2

mozillathunderbirdMatch17.0.3

mozillathunderbirdMatch17.0.4

mozillathunderbirdMatch17.0.5

Node

mozillathunderbird_esrMatch17.0

mozillathunderbird_esrMatch17.0.1

mozillathunderbird_esrMatch17.0.2

mozillathunderbird_esrMatch17.0.3

mozillathunderbird_esrMatch17.0.4

mozillathunderbird_esrMatch17.0.5

mozillathunderbird_esrMatch17.0.6

VendorProductVersionCPE
mozillafirefox*cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
mozillafirefox19.0cpe:2.3:a:mozilla:firefox:19.0:*:*:*:*:*:*:*
mozillafirefox19.0.1cpe:2.3:a:mozilla:firefox:19.0.1:*:*:*:*:*:*:*
mozillafirefox19.0.2cpe:2.3:a:mozilla:firefox:19.0.2:*:*:*:*:*:*:*
mozillafirefox20.0cpe:2.3:a:mozilla:firefox:20.0:*:*:*:*:*:*:*
mozillafirefox20.0.1cpe:2.3:a:mozilla:firefox:20.0.1:*:*:*:*:*:*:*
mozillafirefox_esr17.0cpe:2.3:a:mozilla:firefox_esr:17.0:*:*:*:*:*:*:*
mozillafirefox_esr17.0.1cpe:2.3:a:mozilla:firefox_esr:17.0.1:*:*:*:*:*:*:*
mozillafirefox_esr17.0.2cpe:2.3:a:mozilla:firefox_esr:17.0.2:*:*:*:*:*:*:*
mozillafirefox_esr17.0.3cpe:2.3:a:mozilla:firefox_esr:17.0.3:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mozilla	firefox	*	cpe:2.3:a:mozilla:firefox::::::::
mozilla	firefox	19.0	cpe:2.3:a:mozilla:firefox:19.0:::::::*
mozilla	firefox	19.0.1	cpe:2.3:a:mozilla:firefox:19.0.1:::::::*
mozilla	firefox	19.0.2	cpe:2.3:a:mozilla:firefox:19.0.2:::::::*
mozilla	firefox	20.0	cpe:2.3:a:mozilla:firefox:20.0:::::::*
mozilla	firefox	20.0.1	cpe:2.3:a:mozilla:firefox:20.0.1:::::::*
mozilla	firefox_esr	17.0	cpe:2.3:a:mozilla:firefox_esr:17.0:::::::*
mozilla	firefox_esr	17.0.1	cpe:2.3:a:mozilla:firefox_esr:17.0.1:::::::*
mozilla	firefox_esr	17.0.2	cpe:2.3:a:mozilla:firefox_esr:17.0.2:::::::*
mozilla	firefox_esr	17.0.3	cpe:2.3:a:mozilla:firefox_esr:17.0.3:::::::*