CVE-2013-1687

The System Only Wrapper (SOW) and Chrome Object Wrapper (COW) implementations in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not properly restrict XBL user-defined functions, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges, or conduct cross-site scripting (XSS) attacks, via a crafted web site.

Published: Jun 26, 2013
Updated: Apr 13, 2023
CVE: CVE-2013-1687
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C

CWEs:

CWE-264

Affected Software
References

Software	From	Fixed in
mozilla / firefox	19.0	19.0.x
mozilla / firefox	19.0.2	19.0.2.x
mozilla / firefox	20.0.1	20.0.1.x
mozilla / firefox	19.0.1	19.0.1.x
mozilla / firefox	20.0	20.0.x
mozilla / firefox	-	21.0.x
mozilla / firefox_esr	17.0.5	17.0.5.x
mozilla / firefox_esr	17.0	17.0.x
mozilla / firefox_esr	17.0.1	17.0.1.x
mozilla / firefox_esr	17.0.6	17.0.6.x
mozilla / firefox_esr	17.0.4	17.0.4.x
mozilla / firefox_esr	17.0.3	17.0.3.x
mozilla / firefox_esr	17.0.2	17.0.2.x
mozilla / thunderbird	17.0.3	17.0.3.x
mozilla / thunderbird	17.0.1	17.0.1.x
mozilla / thunderbird	17.0.4	17.0.4.x
mozilla / thunderbird	17.0	17.0.x
mozilla / thunderbird	17.0.2	17.0.2.x
mozilla / thunderbird	-	17.0.6.x
mozilla / thunderbird	17.0.5	17.0.5.x
mozilla / thunderbird_esr	17.0.1	17.0.1.x
mozilla / thunderbird_esr	17.0.2	17.0.2.x
mozilla / thunderbird_esr	17.0.3	17.0.3.x
mozilla / thunderbird_esr	17.0.5	17.0.5.x
mozilla / thunderbird_esr	17.0.6	17.0.6.x
mozilla / thunderbird_esr	17.0.4	17.0.4.x
mozilla / thunderbird_esr	17.0	17.0.x

Vulnerability Database

289,697

CVE-2013-1687