CVE-2013-5598 — Mozilla Firefox vulnerability

CWE-2647 documents5 sources

Severity

8.3HIGHNVD

EPSS

0.8%

top 26.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox

Timeline

PublishedOct 30

Latest updateMay 17

Description

PDF.js in Mozilla Firefox before 25.0 and Firefox ESR 24.x before 24.1 does not properly handle the appending of an IFRAME element, which allows remote attackers to read arbitrary files or execute arbitrary JavaScript code with chrome privileges by using this element within an embedded PDF object.

CVSS vector

AV:N/AC:M/C:C/I:P/A:PExploitability: 8.6 | Impact: 8.5

Affected Packages1 packages

▶NVDmozilla/firefox24.0+12

🔴Vulnerability Details

GHSA

GHSA-qc4r-65pv-9r8p: PDF↗2022-05-17

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2013-10-29

▶

Red Hat

Mozilla: Security bypass of PDF.js checks using iframes (MFSA 2013-99)↗2013-10-29

▶

💬Community

Bugzilla

pdfjs privilege escalation round 2↗2014-05-24

▶

Bugzilla

CVE-2013-5598 Mozilla: Security bypass of PDF.js checks using iframes (MFSA 2013-99)↗2013-10-28

▶

Bugzilla

pdf.js iframe injection allows sites to load local files or even chrome privileged pages into an iframe↗2013-09-25

▶