Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2013-0757 — Improper Input Validation in Mozilla Firefox

CWE-20 — Improper Input Validation22 documents8 sources

Severity

9.3CRITICALNVD

EPSS

74.6%

top 1.14%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Mozilla Firefox Mozilla Seamonkey Mozilla Thunderbird +6 more

Timeline

PublishedJan 13

Latest updateMay 13

Description

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 17.x before 17.0.2, and SeaMonkey before 2.15 does not prevent modifications to the prototype of an object, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges by referencing Object.prototype.__proto__ in a crafted HTML document.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages8 packages

▶NVDmozilla/firefox< 17.0.2+1

▶NVDmozilla/thunderbird< 17.0.2

▶NVDmozilla/thunderbird_esr< 17.0.2

▶NVDmozilla/seamonkey< 2.15

▶NVDopensuse/opensuse11.4, 12.1, 12.2+2

Also affects: Ubuntu Linux 10.04, 11.10, 12.04, 12.10

Patches

Patch: bugzilla.mozilla.org ↗Patch: bugzilla.mozilla.org ↗

🔴Vulnerability Details

GHSA

GHSA-vw2x-fj5h-mmwq: The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18↗2022-05-13

▶

CVEList

CVE-2013-0757: The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18↗2013-01-13

▶

💥Exploits & PoCs

Exploit-DB

GIT 1.8.5.6/1.9.5/2.0.5/2.1.4/2.2.1 & Mercurial < 3.2.3 - Multiple Vulnerabilities (Metasploit)↗2014-12-18

▶

Exploit-DB

Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)↗2013-01-08

▶

Metasploit

Firefox 17.0.1 Flash Privileged Code Injection↗

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2013-01-09

▶

Ubuntu

Thunderbird vulnerabilities↗2013-01-09

▶

Red Hat

Mozilla: Chrome Object Wrapper (COW) bypass through changing prototype (MFSA 2013-14)↗2013-01-08

▶

💬Community

Bugzilla

CVE-2013-2394 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (2D)↗2013-04-17

▶

Bugzilla

CVE-2013-2425 Oracle JDK: unspecified vulnerability fixed in 7u21 (Install)↗2013-04-17

▶

Bugzilla

CVE-2013-2435 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)↗2013-04-17

▶

Bugzilla

CVE-2013-1540 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)↗2013-04-17

▶

Bugzilla

CVE-2013-2433 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)↗2013-04-17

▶