CVE-2013-0757

Firefox 17.0.1 Flash Privileged Code Injection

Title source: metasploit

Description

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 17.x before 17.0.2, and SeaMonkey before 2.15 does not prevent modifications to the prototype of an object, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges by referencing Object.prototype.__proto__ in a crafted HTML document.

Exploits (3)

metasploit WORKING POC EXCELLENT
by Marius Mlynski, joev, sinn3r · rubypocfirefox
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/firefox_svg_plugin.rb
exploitdb WORKING POC
rubylocalmultiple
https://www.exploit-db.com/exploits/41683
exploitdb WORKING POC
rubyremotemultiple
https://www.exploit-db.com/exploits/41684

References (10)

Scores

EPSS 0.7457
EPSS Percentile 98.8%

Classification

CWE
CWE-20
Status draft

Affected Products (18)

mozilla/firefox < 17.0.2
mozilla/seamonkey < 2.15
mozilla/thunderbird < 17.0.2
mozilla/thunderbird_esr < 17.0.2
opensuse/opensuse
opensuse/opensuse
opensuse/opensuse
suse/linux_enterprise_desktop
suse/linux_enterprise_desktop
suse/linux_enterprise_server
suse/linux_enterprise_server
suse/linux_enterprise_server
suse/linux_enterprise_software_development_kit
suse/linux_enterprise_software_development_kit
canonical/ubuntu_linux
... and 3 more

Timeline

Published Jan 13, 2013
Tracked Since Feb 18, 2026