CVSS: 6.9EPSS: 0%CPEs: 27EXPL: 0CVE-2013-1672
https://notcve.org/view.php?id=CVE-2013-1672
The Mozilla Maintenance Service in Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 on Windows allows local users to bypass integrity verification and gain privileges via vectors involving junctions. El Mozilla Updater en Mozilla Firefox anterior a v21.0, Firefox ESR v17.x anterior a v17.0.6, Thunderbird anterior a v17.0.6, y Thunderbird ESR v17.x anterior a v17.0.6 en Windows permite a usuarios locales eludir la verificación de integridad y ganar privilegios mediante vectores que comprenden "junctions" • http://www.mozilla.org/security/announce/2013/mfsa2013-44.html https://bugzilla.mozilla.org/show_bug.cgi?id=850492 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16915 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.9EPSS: 0%CPEs: 6EXPL: 0CVE-2013-1673
https://notcve.org/view.php?id=CVE-2013-1673
The Mozilla Updater in Mozilla Firefox before 21.0 on Windows does not properly maintain Mozilla Maintenance Service registry entries in certain situations involving upgrades from older Firefox versions, which allows local users to gain privileges by leveraging write access to a "trusted path." El Mozilla Updater en Mozilla Firefox anterior a v21.0 en Windows no gestiona correctamente las entradas de registro de Mozilla Maintenance Service en ciertas situaciones comprendiendo actualizaciones desde viejas versiones de Firefox, lo que permite a usuarios locales ganar privilegios mediante el aprovechamiento de acceso a escritura en una "ruta de confianza" • http://www.mozilla.org/security/announce/2013/mfsa2013-45.html https://bugzilla.mozilla.org/show_bug.cgi?id=854088 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17125 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 10.0EPSS: 8%CPEs: 5EXPL: 0CVE-2013-1669
https://notcve.org/view.php?id=CVE-2013-1669
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 21.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Múltiples vulnerabilidades no especificadas en el motor de navegación en Mozilla Firefox anterior a v21.0 permite a atacantes remotos causar una denegación de servicio (corrupción de memoria y caída de la aplicación) o posiblemente ejecutar código arbitrario mediante vectores desconocidos. • http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00008.html http://www.mozilla.org/security/announce/2013/mfsa2013-41.html http://www.securityfocus.com/bid/59870 http://www.ubuntu.com/ •
CVSS: 4.3EPSS: 88%CPEs: 23EXPL: 2CVE-2013-1670 – Mozilla Firefox - toString console.time Privileged JavaScript Injection
https://notcve.org/view.php?id=CVE-2013-1670
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 does not prevent acquisition of chrome privileges during calls to content level constructors, which allows remote attackers to bypass certain read-only restrictions and conduct cross-site scripting (XSS) attacks via a crafted web site. La implementación Chrome Object Wrapper (COW) en Mozilla Firefox anterior a v21.0, Firefox ESR v17.x anterior a v17.0.6, Thunderbird anterior a v17.0.6, y Thunderbird ESR v17.x anterior a v17.0.6 no previene la adquisición de los privilegios de chrome durante las llamadas al contenido de los constructores, lo que permite a atacantes remotos eludir ciertas restricciones de solo lectura y llevar a cabo ataques de tipo XSS (cross-site-scripting) mediante un sitio web especialmente diseñado. • https://www.exploit-db.com/exploits/34363 http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00008.html http://rhn.redhat.com/errata/RHSA-2013-0820.html http://rhn.redhat.com/errata/ • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2013-1671
https://notcve.org/view.php?id=CVE-2013-1671
Mozilla Firefox before 21.0 does not properly implement the INPUT element, which allows remote attackers to obtain the full pathname via a crafted web site. Mozilla Firefox anterior a v21.0 no implementa correctamente el elemento INPUT, lo que permite a atacantes remotos obtener la ruta completo mediante un sitio web especialmente diseñado. • http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00008.html http://www.mozilla.org/security/announce/2013/mfsa2013-43.html http://www.ubuntu.com/usn/USN-1822-1 https://bugzilla.mozilla.org/show_bug.cgi?id=842255 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17100 • CWE-20: Improper Input Validation •