CVE-2013-1687 : The System Only Wrapper (SOW) and Chrome Object Wrapper (COW) implementations in

The System Only Wrapper (SOW) and Chrome Object Wrapper (COW) implementations in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not properly restrict XBL user-defined functions, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges, or conduct cross-site scripting (XSS) attacks, via a crafted web site.

Published 2013-06-26 03:19:11

Updated 2024-10-21 13:55:04

Source Mozilla Corporation

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2013-1687

Mozilla » Firefox
Versions up to, including, (<=) 21.0
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox » Version: 19.0
cpe:2.3:a:mozilla:firefox:19.0:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox » Version: 19.0.1
cpe:2.3:a:mozilla:firefox:19.0.1:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox » Version: 17.0.1
cpe:2.3:a:mozilla:firefox:17.0.1:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox » Version: 17.0
cpe:2.3:a:mozilla:firefox:17.0:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox » Version: 19.0.2
cpe:2.3:a:mozilla:firefox:19.0.2:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox » Version: 20.0
cpe:2.3:a:mozilla:firefox:20.0:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox » Version: 20.0.1
cpe:2.3:a:mozilla:firefox:20.0.1:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox » Version: 17.0.5
cpe:2.3:a:mozilla:firefox:17.0.5:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox » Version: 17.0.3
cpe:2.3:a:mozilla:firefox:17.0.3:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox » Version: 17.0.2
cpe:2.3:a:mozilla:firefox:17.0.2:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox » Version: 17.0.6
cpe:2.3:a:mozilla:firefox:17.0.6:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox » Version: 17.0.4
cpe:2.3:a:mozilla:firefox:17.0.4:*:*:*:*:*:*:*
Matching versions
Mozilla » Thunderbird
Versions up to, including, (<=) 17.0.6
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Matching versions
Mozilla » Thunderbird » Version: 17.0
cpe:2.3:a:mozilla:thunderbird:17.0:*:*:*:*:*:*:*
Matching versions
Mozilla » Thunderbird » Version: 17.0.1
cpe:2.3:a:mozilla:thunderbird:17.0.1:*:*:*:*:*:*:*
Matching versions
Mozilla » Thunderbird » Version: 17.0.3
cpe:2.3:a:mozilla:thunderbird:17.0.3:*:*:*:*:*:*:*
Matching versions
Mozilla » Thunderbird » Version: 17.0.4
cpe:2.3:a:mozilla:thunderbird:17.0.4:*:*:*:*:*:*:*
Matching versions
Mozilla » Thunderbird » Version: 17.0.2
cpe:2.3:a:mozilla:thunderbird:17.0.2:*:*:*:*:*:*:*
Matching versions
Mozilla » Thunderbird » Version: 17.0.5
cpe:2.3:a:mozilla:thunderbird:17.0.5:*:*:*:*:*:*:*
Matching versions
Mozilla » Thunderbird Esr » Version: 17.0
cpe:2.3:a:mozilla:thunderbird_esr:17.0:*:*:*:*:*:*:*
Matching versions
Mozilla » Thunderbird Esr » Version: 17.0.1
cpe:2.3:a:mozilla:thunderbird_esr:17.0.1:*:*:*:*:*:*:*
Matching versions
Mozilla » Thunderbird Esr » Version: 17.0.4
cpe:2.3:a:mozilla:thunderbird_esr:17.0.4:*:*:*:*:*:*:*
Matching versions
Mozilla » Thunderbird Esr » Version: 17.0.2
cpe:2.3:a:mozilla:thunderbird_esr:17.0.2:*:*:*:*:*:*:*
Matching versions
Mozilla » Thunderbird Esr » Version: 17.0.3
cpe:2.3:a:mozilla:thunderbird_esr:17.0.3:*:*:*:*:*:*:*
Matching versions
Mozilla » Thunderbird Esr » Version: 17.0.5
cpe:2.3:a:mozilla:thunderbird_esr:17.0.5:*:*:*:*:*:*:*
Matching versions
Mozilla » Thunderbird Esr » Version: 17.0.6
cpe:2.3:a:mozilla:thunderbird_esr:17.0.6:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2013-1687

EPSS FAQ

1.59%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 80 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2013-1687

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C	8.6	10.0	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2013-1687

CWE-264

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-1687

http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00003.html

[security-announce] openSUSE-SU-2013:1140-1: important: regular updates

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00005.html

[security-announce] openSUSE-SU-2013:1142-1: important: MozillaFirefox:

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00011.html

[security-announce] SUSE-SU-2013:1153-1: important: Security update for

CVEs referencing this url
http://www.debian.org/security/2013/dsa-2716

Debian -- Security Information -- DSA-2716-1 iceweasel

CVEs referencing this url
http://www.debian.org/security/2013/dsa-2720

Debian -- Security Information -- DSA-2720-1 icedove

CVEs referencing this url
http://www.securityfocus.com/bid/60777

Mozilla Firefox and Thunderbird CVE-2013-1687 Remote Code Execution Vulnerability
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00006.html

[security-announce] openSUSE-SU-2013:1143-1: important: xulrunner: 17.0.

CVEs referencing this url
http://www.ubuntu.com/usn/USN-1890-1

USN-1890-1: Firefox vulnerabilities | Ubuntu security notices

CVEs referencing this url
http://www.mozilla.org/security/announce/2013/mfsa2013-51.html

Privileged content access and execution via XBL — Mozilla
Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00010.html

[security-announce] SUSE-SU-2013:1152-1: important: Security update for

CVEs referencing this url
https://bugzilla.mozilla.org/show_bug.cgi?id=863933

863933 - (CVE-2013-1687) Arbitrary code execution via XBL
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17117

Repository / Oval Repository
https://bugzilla.mozilla.org/show_bug.cgi?id=866823

866823 - Xray Waivers can be used to bypass COWs
http://rhn.redhat.com/errata/RHSA-2013-0982.html

RHSA-2013:0982 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2013-0981.html

RHSA-2013:0981 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
http://www.ubuntu.com/usn/USN-1891-1

USN-1891-1: Thunderbird vulnerabilities | Ubuntu security notices

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00004.html

[security-announce] openSUSE-SU-2013:1141-1: important: MozillaThunderbi

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2013-1687

Products affected by CVE-2013-1687

Exploit prediction scoring system (EPSS) score for CVE-2013-1687

CVSS scores for CVE-2013-1687

CWE ids for CVE-2013-1687

References for CVE-2013-1687