CVE-2013-1688 : The Profiler implementation in Mozilla Firefox before 22.0 parses untrusted data

The Profiler implementation in Mozilla Firefox before 22.0 parses untrusted data during UI rendering, which allows user-assisted remote attackers to execute arbitrary JavaScript code via a crafted web site.

Published 2013-06-26 03:19:11

Updated 2025-04-11 00:51:22

Source Mozilla Corporation

View at NVD, CVE.org

Products affected by CVE-2013-1688

Mozilla » Firefox
Versions up to, including, (<=) 21.0
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox » Version: 19.0
cpe:2.3:a:mozilla:firefox:19.0:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox » Version: 19.0.1
cpe:2.3:a:mozilla:firefox:19.0.1:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox » Version: 19.0.2
cpe:2.3:a:mozilla:firefox:19.0.2:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox » Version: 20.0
cpe:2.3:a:mozilla:firefox:20.0:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox » Version: 20.0.1
cpe:2.3:a:mozilla:firefox:20.0.1:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2013-1688

EPSS FAQ

0.97%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 75 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2013-1688

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C	8.6	10.0	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2013-1688

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-1688

http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00003.html

[security-announce] openSUSE-SU-2013:1140-1: important: regular updates

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00005.html

[security-announce] openSUSE-SU-2013:1142-1: important: MozillaFirefox:

CVEs referencing this url
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16427

Repository / Oval Repository
http://www.ubuntu.com/usn/USN-1890-1

USN-1890-1: Firefox vulnerabilities | Ubuntu security notices

CVEs referencing this url
https://bugzilla.mozilla.org/show_bug.cgi?id=873966

873966 - (CVE-2013-1688) Arbitrary code execution from Profiler
http://www.mozilla.org/security/announce/2013/mfsa2013-52.html

Arbitrary code execution within Profiler — Mozilla
Vendor Advisory

Jump to

Vulnerability Details : CVE-2013-1688

Products affected by CVE-2013-1688

Exploit prediction scoring system (EPSS) score for CVE-2013-1688

CVSS scores for CVE-2013-1688

CWE ids for CVE-2013-1688

References for CVE-2013-1688