Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2013-1670Cross-site Scripting in Mozilla Firefox

CWE-79Cross-site ScriptingCWE-2649 documents8 sources
Severity
4.3MEDIUMNVD
EPSS
24.6%
top 3.87%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
3
Mozilla FirefoxMozilla ThunderbirdMozilla Thunderbird ESR
Timeline
PublishedMay 16
Latest updateMay 17

Description

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 does not prevent acquisition of chrome privileges during calls to content level constructors, which allows remote attackers to bypass certain read-only restrictions and conduct cross-site scripting (XSS) attacks via a crafted web site.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

NVDmozilla/firefox20.0.1+10
NVDmozilla/thunderbird17.0.5+5
NVDmozilla/thunderbird_esr6 versions+5

🔴Vulnerability Details

3
GHSA
GHSA-wmq6-5fp5-6pfg: The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 212022-05-17
CVEList
CVE-2013-1670: The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 212013-05-16
VulnCheck
Mozilla Firefox Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')2013

💥Exploits & PoCs

1
Exploit-DB
Mozilla Firefox - toString console.time Privileged JavaScript Injection (Metasploit)2014-08-19

📋Vendor Advisories

3
Ubuntu
Firefox vulnerabilities2013-05-14
Red Hat
Mozilla: Privileged access for content level constructor (MFSA 2013-42)2013-05-14
Ubuntu
Thunderbird vulnerabilities2013-05-14

💬Community

1
Bugzilla
CVE-2013-1670 Mozilla: Privileged access for content level constructor (MFSA 2013-42)2013-05-14
CVE-2013-1670 — Cross-site Scripting in Mozilla Firefox | cvebase