Detections
Analytics

CVE-2013-1687

critical

Description

The System Only Wrapper (SOW) and Chrome Object Wrapper (COW) implementations in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not properly restrict XBL user-defined functions, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges, or conduct cross-site scripting (XSS) attacks, via a crafted web site.

References

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17117

https://bugzilla.mozilla.org/show_bug.cgi?id=866823

https://bugzilla.mozilla.org/show_bug.cgi?id=863933

http://www.ubuntu.com/usn/USN-1891-1

http://www.ubuntu.com/usn/USN-1890-1

http://www.securityfocus.com/bid/60777

http://www.mozilla.org/security/announce/2013/mfsa2013-51.html

http://www.debian.org/security/2013/dsa-2720

http://www.debian.org/security/2013/dsa-2716

http://rhn.redhat.com/errata/RHSA-2013-0982.html

http://rhn.redhat.com/errata/RHSA-2013-0981.html

http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00011.html

http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00010.html

http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00006.html

http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00005.html

http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00004.html

http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00003.html

Details

Source: Mitre, NVD

Published: 2013-06-26

Updated: 2024-10-21

Risk Information

CVSS v2

Base Score: 9.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical