CVE-2013-1710

EXPLOITED

Firefox toString console.time Privileged Javascript Injection

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2013-1710 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including moz_bug_r_a4, Cody Crews, joev, including a Metasploit module exploits/multi/browser/firefox_tostring_console_injection.

AI-analyzed exploit summary This Metasploit module exploits CVE-2013-1710 in Firefox 5.0-15.0.1 by manipulating the __exposedProps__ property to gain chrome-privileged context and install a malicious addon. It chains with CVE-2012-3993 to override functions and uses crypto.generateCRMFRequest to execute arbitrary code.

Description

The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allows remote attackers to execute arbitrary JavaScript code or conduct cross-site scripting (XSS) attacks via vectors related to Certificate Request Message Format (CRMF) request generation.

Exploits (2)

exploitdb WORKING POC
rubylocalmultiple
https://www.exploit-db.com/exploits/30474

This Metasploit module exploits CVE-2013-1710 in Firefox 5.0-15.0.1 by manipulating the __exposedProps__ property to gain chrome-privileged context and install a malicious addon. It chains with CVE-2012-3993 to override functions and uses crypto.generateCRMFRequest to execute arbitrary code.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Mozilla Firefox 5.0 to 15.0.1
No auth needed
Prerequisites: Victim must visit a malicious webpage · Firefox version between 5.0 and 15.0.1
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by moz_bug_r_a4, Cody Crews, joev · rubypocfirefox
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/firefox_tostring_console_injection.rb

This Metasploit module exploits CVE-2013-1710 to achieve remote code execution on Firefox 15-22 by injecting privileged JavaScript into a chrome:// context via toString and console.time manipulation.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Mozilla Firefox 15.0 to 22.0
No auth needed
Prerequisites: Victim must visit a malicious webpage · Firefox version between 15.0 and 22.0
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2013/dsa-2746
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18773
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/61900
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2013/dsa-2735
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=871368

Scores

EPSS 0.7647
EPSS Percentile 99.0%

Details

VulnCheck KEV 2017-01-09
CWE
CWE-20
Status published
Products (32)
mozilla/firefox 19.0
mozilla/firefox 19.0.1
mozilla/firefox 19.0.2
mozilla/firefox 20.0
mozilla/firefox 20.0.1
mozilla/firefox 21.0
mozilla/firefox 17.0
mozilla/firefox 17.0.1
mozilla/firefox 17.0.2
mozilla/firefox 17.0.3
... and 22 more
Published Aug 07, 2013
Tracked Since Feb 18, 2026