Your submission was sent successfully! Close

CVE-2013-1697

Published: 25 June 2013

The XrayWrapper implementation in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 does not properly restrict use of DefaultValue for method calls, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges via a crafted web site that triggers use of a user-defined (1) toString or (2) valueOf method.

Priority

Medium

Status

Package Release Status
firefox
Launchpad, Ubuntu, Debian
lucid Ignored
(reached end-of-life)
precise
Released (22.0+build1-0ubuntu0.12.04.1)
quantal
Released (22.0+build1-0ubuntu0.12.10.1)
raring
Released (22.0+build1-0ubuntu0.13.04.1)
upstream
Released (22.0)
seamonkey
Launchpad, Ubuntu, Debian
lucid Ignored
(reached end-of-life)
precise Does not exist

quantal Does not exist

raring Does not exist

upstream Needs triage

thunderbird
Launchpad, Ubuntu, Debian
lucid Ignored
(reached end-of-life)
precise
Released (17.0.7+build1-0ubuntu0.12.04.1)
quantal
Released (17.0.7+build1-0ubuntu0.12.10.1)
raring
Released (17.0.7+build1-0ubuntu0.13.04.1)
upstream
Released (17.0.7)
xulrunner-1.9.2
Launchpad, Ubuntu, Debian
lucid Ignored
(reached end-of-life)
precise Does not exist

quantal Does not exist

raring Does not exist

upstream Needs triage