CVE-2013-0758

Mozilla Firefox < 18.0 - Remote Code Execution via SVG and Plugin Interaction

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2013-0758. PoCs published by Metasploit.

AI-analyzed exploit summary This Metasploit module exploits CVE-2014-9390 in Git and Mercurial clients on case-insensitive file systems (e.g., Windows, macOS) by crafting a malicious repository that overwrites sensitive configuration files (e.g., Git hooks) to achieve arbitrary code execution.

Description

Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 10.x before 10.0.12 and 17.x before 17.0.2, and SeaMonkey before 2.15 allow remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging improper interaction between plugin objects and SVG elements.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/41684

This Metasploit module exploits CVE-2014-9390 in Git and Mercurial clients on case-insensitive file systems (e.g., Windows, macOS) by crafting a malicious repository that overwrites sensitive configuration files (e.g., Git hooks) to achieve arbitrary code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Git (versions < 1.8.5.6, 1.9.5, 2.0.5, 2.1.4, 2.2.1) and Mercurial (versions < 3.2.3)
No auth needed
Prerequisites: Vulnerable Git/Mercurial client on a case-insensitive file system · Victim must interact with a malicious repository (e.g., clone, checkout)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalmultiple
https://www.exploit-db.com/exploits/41683

This Metasploit module exploits CVE-2013-0758 and CVE-2013-0757 to achieve remote code execution on Firefox 17.0.1 by leveraging Flash to navigate a frame to a chrome:// URL and bypassing the Chrome Object Wrapper.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Mozilla Firefox 17.0.1 with Flash installed
No auth needed
Prerequisites: Target must be using Firefox 17.0.1 · Flash plugin must be installed and enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (12)

Core 12
Core References
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00006.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00010.html
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0145.html
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1681-4
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0144.html
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=813906
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00007.html
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1681-1
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00017.html
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1681-2

Scores

EPSS 0.7336
EPSS Percentile 99.4%

Details

CWE
CWE-94
Status published
Products (26)
canonical/ubuntu_linux 10.04
canonical/ubuntu_linux 11.10
canonical/ubuntu_linux 12.04
canonical/ubuntu_linux 12.10
mozilla/firefox < 18.0
mozilla/seamonkey < 2.15
mozilla/thunderbird < 17.0.2
mozilla/thunderbird_esr 10.0 - 10.0.12
opensuse/opensuse 11.4
opensuse/opensuse 12.1
... and 16 more
Published Jan 13, 2013
Tracked Since Feb 18, 2026