Vulnerability Details : CVE-2013-1692
Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not prevent the inclusion of body data in an XMLHttpRequest HEAD request, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via a crafted web site.
Vulnerability category: Cross-site request forgery (CSRF)
Products affected by CVE-2013-1692
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:19.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:19.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:17.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:17.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:19.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:20.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:17.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:17.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:17.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:17.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:17.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:17.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:17.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:17.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:17.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:17.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:17.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird_esr:17.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird_esr:17.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird_esr:17.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird_esr:17.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird_esr:17.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird_esr:17.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird_esr:17.0.6:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-1692
0.62%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 76 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-1692
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2013-1692
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-1692
-
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00003.html
[security-announce] openSUSE-SU-2013:1140-1: important: regular updates
-
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00005.html
[security-announce] openSUSE-SU-2013:1142-1: important: MozillaFirefox:
-
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00011.html
[security-announce] SUSE-SU-2013:1153-1: important: Security update for
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17096
Repository / Oval Repository
-
http://www.debian.org/security/2013/dsa-2716
Debian -- Security Information -- DSA-2716-1 iceweasel
-
http://www.debian.org/security/2013/dsa-2720
Debian -- Security Information -- DSA-2720-1 icedove
-
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00006.html
[security-announce] openSUSE-SU-2013:1143-1: important: xulrunner: 17.0.
-
http://www.ubuntu.com/usn/USN-1890-1
USN-1890-1: Firefox vulnerabilities | Ubuntu security notices
-
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00010.html
[security-announce] SUSE-SU-2013:1152-1: important: Security update for
-
https://bugzilla.mozilla.org/show_bug.cgi?id=866915
866915 - (CVE-2013-1692) Do not send data XHR HEAD request
-
http://rhn.redhat.com/errata/RHSA-2013-0982.html
RHSA-2013:0982 - Security Advisory - Red Hat Customer Portal
-
http://rhn.redhat.com/errata/RHSA-2013-0981.html
RHSA-2013:0981 - Security Advisory - Red Hat Customer Portal
-
http://www.securityfocus.com/bid/60783
Mozilla Firefox and Thunderbird CVE-2013-1692 Cross-Site Request Forgery Vulnerability
-
http://www.ubuntu.com/usn/USN-1891-1
USN-1891-1: Thunderbird vulnerabilities | Ubuntu security notices
-
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00004.html
[security-announce] openSUSE-SU-2013:1141-1: important: MozillaThunderbi
-
http://www.mozilla.org/security/announce/2013/mfsa2013-54.html
Data in the body of XHR HEAD requests leads to CSRF attacks — MozillaVendor Advisory
Jump to