CVE-2013-1670
Mozilla Firefox - toString console.time Privileged JavaScript Injection
Severity Score
6.1
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
3
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 does not prevent acquisition of chrome privileges during calls to content level constructors, which allows remote attackers to bypass certain read-only restrictions and conduct cross-site scripting (XSS) attacks via a crafted web site.
La implementación Chrome Object Wrapper (COW) en Mozilla Firefox anterior a v21.0, Firefox ESR v17.x anterior a v17.0.6, Thunderbird anterior a v17.0.6, y Thunderbird ESR v17.x anterior a v17.0.6 no previene la adquisición de los privilegios de chrome durante las llamadas al contenido de los constructores, lo que permite a atacantes remotos eludir ciertas restricciones de solo lectura y llevar a cabo ataques de tipo XSS (cross-site-scripting) mediante un sitio web especialmente diseñado.
Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser. These issues include multiple memory safety errors, missing input sanitizing vulnerabilities, use-after-free vulnerabilities, buffer overflows and other programming errors which may lead to the execution of arbitrary code, privilege escalation, information leaks or cross site scripting.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2013-02-13 CVE Reserved
- 2013-05-16 CVE Published
- 2014-08-18 First Exploit
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CWE-264: Permissions, Privileges, and Access Controls
CAPEC
References (21)
| URL | Tag | Source |
|---|---|---|
| http://www.osvdb.org/93427 | Vdb Entry | |
| http://www.securityfocus.com/bid/59865 | Vdb Entry | |
| https://bugzilla.mozilla.org/show_bug.cgi?id=853709 | X_refsource_confirm | |
| https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17046 | Signature |
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/127915 | 2014-08-18 | |
| https://www.exploit-db.com/exploits/34363 | 2014-08-19 | |
| http://www.exploit-db.com/exploits/34363 | 2024-08-06 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Mozilla Search vendor "Mozilla" | Firefox Search vendor "Mozilla" for product "Firefox" | <= 20.0.1 Search vendor "Mozilla" for product "Firefox" and version " <= 20.0.1" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Firefox Search vendor "Mozilla" for product "Firefox" | 19.0 Search vendor "Mozilla" for product "Firefox" and version "19.0" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Firefox Search vendor "Mozilla" for product "Firefox" | 19.0.1 Search vendor "Mozilla" for product "Firefox" and version "19.0.1" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Firefox Search vendor "Mozilla" for product "Firefox" | 19.0.2 Search vendor "Mozilla" for product "Firefox" and version "19.0.2" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Firefox Search vendor "Mozilla" for product "Firefox" | 20.0 Search vendor "Mozilla" for product "Firefox" and version "20.0" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Firefox Esr Search vendor "Mozilla" for product "Firefox Esr" | 17.0 Search vendor "Mozilla" for product "Firefox Esr" and version "17.0" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Firefox Esr Search vendor "Mozilla" for product "Firefox Esr" | 17.0.1 Search vendor "Mozilla" for product "Firefox Esr" and version "17.0.1" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Firefox Esr Search vendor "Mozilla" for product "Firefox Esr" | 17.0.2 Search vendor "Mozilla" for product "Firefox Esr" and version "17.0.2" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Firefox Esr Search vendor "Mozilla" for product "Firefox Esr" | 17.0.3 Search vendor "Mozilla" for product "Firefox Esr" and version "17.0.3" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Firefox Esr Search vendor "Mozilla" for product "Firefox Esr" | 17.0.4 Search vendor "Mozilla" for product "Firefox Esr" and version "17.0.4" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Firefox Esr Search vendor "Mozilla" for product "Firefox Esr" | 17.0.5 Search vendor "Mozilla" for product "Firefox Esr" and version "17.0.5" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Thunderbird Search vendor "Mozilla" for product "Thunderbird" | <= 17.0.5 Search vendor "Mozilla" for product "Thunderbird" and version " <= 17.0.5" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Thunderbird Search vendor "Mozilla" for product "Thunderbird" | 17.0 Search vendor "Mozilla" for product "Thunderbird" and version "17.0" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Thunderbird Search vendor "Mozilla" for product "Thunderbird" | 17.0.1 Search vendor "Mozilla" for product "Thunderbird" and version "17.0.1" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Thunderbird Search vendor "Mozilla" for product "Thunderbird" | 17.0.2 Search vendor "Mozilla" for product "Thunderbird" and version "17.0.2" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Thunderbird Search vendor "Mozilla" for product "Thunderbird" | 17.0.3 Search vendor "Mozilla" for product "Thunderbird" and version "17.0.3" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Thunderbird Search vendor "Mozilla" for product "Thunderbird" | 17.0.4 Search vendor "Mozilla" for product "Thunderbird" and version "17.0.4" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Thunderbird Esr Search vendor "Mozilla" for product "Thunderbird Esr" | 17.0 Search vendor "Mozilla" for product "Thunderbird Esr" and version "17.0" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Thunderbird Esr Search vendor "Mozilla" for product "Thunderbird Esr" | 17.0.1 Search vendor "Mozilla" for product "Thunderbird Esr" and version "17.0.1" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Thunderbird Esr Search vendor "Mozilla" for product "Thunderbird Esr" | 17.0.2 Search vendor "Mozilla" for product "Thunderbird Esr" and version "17.0.2" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Thunderbird Esr Search vendor "Mozilla" for product "Thunderbird Esr" | 17.0.3 Search vendor "Mozilla" for product "Thunderbird Esr" and version "17.0.3" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Thunderbird Esr Search vendor "Mozilla" for product "Thunderbird Esr" | 17.0.4 Search vendor "Mozilla" for product "Thunderbird Esr" and version "17.0.4" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Thunderbird Esr Search vendor "Mozilla" for product "Thunderbird Esr" | 17.0.5 Search vendor "Mozilla" for product "Thunderbird Esr" and version "17.0.5" | - |
Affected
| ||||||