CVE-2013-1670

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 does not prevent acquisition of chrome privileges during calls to content level constructors, which allows remote attackers to bypass certain read-only restrictions and conduct cross-site scripting (XSS) attacks via a crafted web site.

References

http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00010.html

http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00011.html

http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00012.html

http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00006.html

http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00008.html

http://rhn.redhat.com/errata/RHSA-2013-0820.html

http://rhn.redhat.com/errata/RHSA-2013-0821.html

http://www.debian.org/security/2013/dsa-2699

http://www.exploit-db.com/exploits/34363

http://www.mandriva.com/security/advisories?name=MDVSA-2013:165

http://www.mozilla.org/security/announce/2013/mfsa2013-42.html

http://www.osvdb.org/93427

http://www.securityfocus.com/bid/59865

http://www.ubuntu.com/usn/USN-1822-1

http://www.ubuntu.com/usn/USN-1823-1

https://bugzilla.mozilla.org/show_bug.cgi?id=853709

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17046

Details

Source: MITRE

Published: 2013-05-16

Updated: 2017-09-19

Type: CWE-264

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Tenable Plugins

View all (30 total)

IDNameProductFamilySeverity
75014openSUSE Security Update : xulrunner (openSUSE-SU-2013:0929-1)NessusSuSE Local Security Checks
critical
75013openSUSE Security Update : MozillaThunderbird (openSUSE-SU-2013:0894-1)NessusSuSE Local Security Checks
critical
75009openSUSE Security Update : MozillaFirefox (openSUSE-SU-2013:0946-1)NessusSuSE Local Security Checks
critical
70183GLSA-201309-23 : Mozilla Products: Multiple vulnerabilitiesNessusGentoo Local Security Checks
critical
68949SuSE 11.3 Security Update : Mozilla Firefox (SAT Patch Number 8001)NessusSuSE Local Security Checks
critical
68821Oracle Linux 6 : thunderbird (ELSA-2013-0821)NessusOracle Linux Local Security Checks
critical
68820Oracle Linux 5 / 6 : firefox (ELSA-2013-0820)NessusOracle Linux Local Security Checks
critical
67201Debian DSA-2720-1 : icedove - several vulnerabilitiesNessusDebian Local Security Checks
critical
66766Debian DSA-2699-1 : iceweasel - several vulnerabilitiesNessusDebian Local Security Checks
critical
801267Mozilla Firefox 20.x <= 20 Multiple VulnerabilitiesLog Correlation EngineWeb Clients
medium
6828Mozilla Firefox < 21.0 Multiple VulnerabilitiesNessus Network MonitorWeb Clients
high
66482Mozilla Thunderbird ESR 17.x < 17.0.6 Multiple VulnerabilitiesNessusWindows
critical
66481Mozilla Thunderbird 17.x < 17.0.5 Multiple VulnerabilitiesNessusWindows
critical
66480Firefox < 21.0 Multiple VulnerabilitiesNessusWindows
critical
66479Firefox ESR 17.x < 17.0.6 Multiple VulnerabilitiesNessusWindows
critical
66478Thunderbird ESR 17.x < 17.0.6 Multiple Vulnerabilities (Mac OS X)NessusMacOS X Local Security Checks
critical
66477Thunderbird 17.x < 17.0.6 Multiple Vulnerabilities (Mac OS X)NessusMacOS X Local Security Checks
critical
66476Firefox < 21.0 Multiple Vulnerabilities (Mac OS X)NessusMacOS X Local Security Checks
critical
66475Firefox ESR 17.x < 17.0.6 Multiple Vulnerabilities (Mac OS X)NessusMacOS X Local Security Checks
critical
66461Scientific Linux Security Update : thunderbird on SL5.x, SL6.x i386/x86_64 (20130514)NessusScientific Linux Local Security Checks
critical
66460Scientific Linux Security Update : firefox on SL5.x, SL6.x i386/x86_64 (20130514)NessusScientific Linux Local Security Checks
critical
66455FreeBSD : mozilla -- multiple vulnerabilities (4a1ca8a4-bd82-11e2-b7a0-d43d7e0c7c02)NessusFreeBSD Local Security Checks
critical
801314Mozilla Thunderbird 17.x < 17.0.6 Multiple VulnerabilitiesLog Correlation EngineSMTP Clients
high
6822Mozilla Thunderbird 17.x < 17.0.6 Multiple VulnerabilitiesNessus Network MonitorSMTP Clients
high
66443Ubuntu 12.04 LTS / 12.10 / 13.04 : thunderbird vulnerabilities (USN-1823-1)NessusUbuntu Local Security Checks
critical
66442Ubuntu 12.04 LTS / 12.10 / 13.04 : firefox vulnerabilities (USN-1822-1)NessusUbuntu Local Security Checks
critical
66438RHEL 5 / 6 : thunderbird (RHSA-2013:0821)NessusRed Hat Local Security Checks
critical
66437RHEL 5 / 6 : firefox (RHSA-2013:0820)NessusRed Hat Local Security Checks
critical
66430CentOS 5 / 6 : thunderbird (CESA-2013:0821)NessusCentOS Local Security Checks
critical
66429CentOS 5 / 6 : firefox (CESA-2013:0820)NessusCentOS Local Security Checks
critical