CVE-2013-0747 — Improper Input Validation in Mozilla Firefox

CWE-20 — Improper Input Validation7 documents6 sources

Severity

6.8MEDIUMNVD

EPSS

2.3%

top 15.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Seamonkey Mozilla Thunderbird +6 more

Timeline

PublishedJan 13

Latest updateMay 13

Description

The gPluginHandler.handleEvent function in the plugin handler in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 17.x before 17.0.2, and SeaMonkey before 2.15 does not properly enforce the Same Origin Policy, which allows remote attackers to conduct clickjacking attacks via crafted JavaScript code that listens for a mutation event.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages8 packages

▶NVDmozilla/firefox< 17.0.2+1

▶NVDmozilla/thunderbird< 17.0.2

▶NVDmozilla/thunderbird_esr< 17.0.2

▶NVDmozilla/seamonkey< 2.15

▶NVDopensuse/opensuse11.4, 12.1, 12.2+2

Also affects: Ubuntu Linux 10.04, 11.10, 12.04, 12.10

Patches

Patch: bugzilla.mozilla.org ↗Patch: bugzilla.mozilla.org ↗

🔴Vulnerability Details

GHSA

GHSA-6xpg-g38w-3gmx: The gPluginHandler↗2022-05-13

▶

CVEList

CVE-2013-0747: The gPluginHandler↗2013-01-13

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2013-01-09

▶

Ubuntu

Thunderbird vulnerabilities↗2013-01-09

▶

Red Hat

Mozilla: Event manipulation in plugin handler to bypass same-origin policy (MFSA 2013-10)↗2013-01-08

▶

💬Community

Bugzilla

CVE-2013-0747 Mozilla: Event manipulation in plugin handler to bypass same-origin policy (MFSA 2013-10)↗2013-01-05

▶