CVE-2013-1687

Published: Jun 26, 2013Modified: Apr 29, 2026

9.3

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Exploitability: 8.6 / Impact: 10.0

Source: NVD

Description

The System Only Wrapper (SOW) and Chrome Object Wrapper (COW) implementations in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not properly restrict XBL user-defined functions, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges, or conduct cross-site scripting (XSS) attacks, via a crafted web site.

Affected (27)

Products: Mozilla: Firefox, Thunderbird, Thunderbird Esr

3 products

Thunderbird Esr

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Up to 21.0
Mozilla Firefox	Version 19.0.1
Mozilla Firefox	Version 19.0.2
Mozilla Firefox	Version 19.0
Mozilla Firefox	Version 20.0.1
Mozilla Firefox	Version 20.0

Configuration B

7 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Version 17.0.1
Mozilla Firefox	Version 17.0.2
Mozilla Firefox	Version 17.0.3
Mozilla Firefox	Version 17.0.4
Mozilla Firefox	Version 17.0.5
Mozilla Firefox	Version 17.0.6
Mozilla Firefox	Version 17.0

Configuration C

7 vulnerable

Vulnerable Software	Affected Versions
Mozilla Thunderbird	Up to 17.0.6
Mozilla Thunderbird	Version 17.0.1
Mozilla Thunderbird	Version 17.0.2
Mozilla Thunderbird	Version 17.0.3
Mozilla Thunderbird	Version 17.0.4
Mozilla Thunderbird	Version 17.0.5
Mozilla Thunderbird	Version 17.0

Configuration D

7 vulnerable

Vulnerable Software	Affected Versions
Mozilla Thunderbird Esr	Version 17.0.1
Mozilla Thunderbird Esr	Version 17.0.2
Mozilla Thunderbird Esr	Version 17.0.3
Mozilla Thunderbird Esr	Version 17.0.4
Mozilla Thunderbird Esr	Version 17.0.5
Mozilla Thunderbird Esr	Version 17.0.6
Mozilla Thunderbird Esr	Version 17.0

Related CWEs

References (34)

http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00003.html

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00004.html

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00005.html

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00006.html

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00010.html

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00011.html

Source: security@mozilla.org

http://rhn.redhat.com/errata/RHSA-2013-0981.html

Source: security@mozilla.org

http://rhn.redhat.com/errata/RHSA-2013-0982.html

Source: security@mozilla.org

http://www.debian.org/security/2013/dsa-2716

Source: security@mozilla.org

http://www.debian.org/security/2013/dsa-2720

Source: security@mozilla.org

http://www.mozilla.org/security/announce/2013/mfsa2013-51.html

Source: security@mozilla.org

Vendor Advisory

http://www.securityfocus.com/bid/60777

Source: security@mozilla.org

http://www.ubuntu.com/usn/USN-1890-1

Source: security@mozilla.org

http://www.ubuntu.com/usn/USN-1891-1

Source: security@mozilla.org

https://bugzilla.mozilla.org/show_bug.cgi?id=863933

Source: security@mozilla.org

https://bugzilla.mozilla.org/show_bug.cgi?id=866823

Source: security@mozilla.org

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17117

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00003.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00004.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00005.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00006.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00010.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00011.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2013-0981.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2013-0982.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.debian.org/security/2013/dsa-2716

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.debian.org/security/2013/dsa-2720

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.mozilla.org/security/announce/2013/mfsa2013-51.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://www.securityfocus.com/bid/60777

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.ubuntu.com/usn/USN-1890-1

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.ubuntu.com/usn/USN-1891-1

Source: af854a3a-2127-422b-91ae-364da2661108

https://bugzilla.mozilla.org/show_bug.cgi?id=863933

Source: af854a3a-2127-422b-91ae-364da2661108

https://bugzilla.mozilla.org/show_bug.cgi?id=866823

Source: af854a3a-2127-422b-91ae-364da2661108

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17117

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.