CVE-2013-1697

The XrayWrapper implementation in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 does not properly restrict use of DefaultValue for method calls, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges via a crafted web site that triggers use of a user-defined (1) toString or (2) valueOf method.

Published: Jun 26, 2013
Updated: Apr 13, 2023
CVE: CVE-2013-1697
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C

CWEs:

CWE-264

Affected Software
References

Software	From	Fixed in
mozilla / firefox	19.0	19.0.x
mozilla / firefox	19.0.2	19.0.2.x
mozilla / firefox	20.0.1	20.0.1.x
mozilla / firefox	19.0.1	19.0.1.x
mozilla / firefox	20.0	20.0.x
mozilla / firefox	-	21.0.x
mozilla / firefox_esr	17.0.5	17.0.5.x
mozilla / firefox_esr	17.0	17.0.x
mozilla / firefox_esr	17.0.1	17.0.1.x
mozilla / firefox_esr	17.0.6	17.0.6.x
mozilla / firefox_esr	17.0.4	17.0.4.x
mozilla / firefox_esr	17.0.3	17.0.3.x
mozilla / firefox_esr	17.0.2	17.0.2.x
mozilla / thunderbird	17.0.3	17.0.3.x
mozilla / thunderbird	17.0.1	17.0.1.x
mozilla / thunderbird	17.0.4	17.0.4.x
mozilla / thunderbird	17.0	17.0.x
mozilla / thunderbird	17.0.2	17.0.2.x
mozilla / thunderbird	-	17.0.6.x
mozilla / thunderbird	17.0.5	17.0.5.x
mozilla / thunderbird_esr	17.0.1	17.0.1.x
mozilla / thunderbird_esr	17.0.2	17.0.2.x
mozilla / thunderbird_esr	17.0.3	17.0.3.x
mozilla / thunderbird_esr	17.0.5	17.0.5.x
mozilla / thunderbird_esr	17.0.6	17.0.6.x
mozilla / thunderbird_esr	17.0.4	17.0.4.x
mozilla / thunderbird_esr	17.0	17.0.x

Vulnerability Database

289,697

CVE-2013-1697