CVE-2013-0757

Firefox 17.0.1 Flash Privileged Code Injection

Title source: metasploit

Description

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 17.x before 17.0.2, and SeaMonkey before 2.15 does not prevent modifications to the prototype of an object, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges by referencing Object.prototype.__proto__ in a crafted HTML document.

Exploits (3)

exploitdb WORKING POC
rubyremotemultiple
https://www.exploit-db.com/exploits/41684
exploitdb WORKING POC
rubylocalmultiple
https://www.exploit-db.com/exploits/41683
metasploit WORKING POC EXCELLENT
by Marius Mlynski, joev, sinn3r · rubypocfirefox
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/firefox_svg_plugin.rb

References (10)

Scores

EPSS 0.7457
EPSS Percentile 98.9%

Details

CWE
CWE-20
Status published
Products (17)
canonical/ubuntu_linux 10.04
canonical/ubuntu_linux 11.10
canonical/ubuntu_linux 12.04
canonical/ubuntu_linux 12.10
mozilla/firefox < 17.0.2
mozilla/seamonkey < 2.15
mozilla/thunderbird < 17.0.2
mozilla/thunderbird_esr < 17.0.2
opensuse/opensuse 11.4
opensuse/opensuse 12.1
... and 7 more
Published Jan 13, 2013
Tracked Since Feb 18, 2026