CVE-2013-1687
7.4 High
AI Score
Confidence
High
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.007 Low
EPSS
Percentile
80.3%
The System Only Wrapper (SOW) and Chrome Object Wrapper (COW) implementations in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not properly restrict XBL user-defined functions, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges, or conduct cross-site scripting (XSS) attacks, via a crafted web site.
References
lists.opensuse.org/opensuse-security-announce/2013-07/msg00003.html
lists.opensuse.org/opensuse-security-announce/2013-07/msg00004.html
lists.opensuse.org/opensuse-security-announce/2013-07/msg00005.html
lists.opensuse.org/opensuse-security-announce/2013-07/msg00006.html
lists.opensuse.org/opensuse-security-announce/2013-07/msg00010.html
lists.opensuse.org/opensuse-security-announce/2013-07/msg00011.html
rhn.redhat.com/errata/RHSA-2013-0981.html
rhn.redhat.com/errata/RHSA-2013-0982.html
www.debian.org/security/2013/dsa-2716
www.debian.org/security/2013/dsa-2720
www.mozilla.org/security/announce/2013/mfsa2013-51.html
www.securityfocus.com/bid/60777
www.ubuntu.com/usn/USN-1890-1
www.ubuntu.com/usn/USN-1891-1
bugzilla.mozilla.org/show_bug.cgi?id=863933
bugzilla.mozilla.org/show_bug.cgi?id=866823
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17117
Related
7.4 High
AI Score
Confidence
High
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.007 Low
EPSS
Percentile
80.3%