CVE-2013-5593
Firefox < 25.0 and ESR 24.x < 24.1 - Address Bar Spoofing via SELECT Element
Title source: llmDescription
The SELECT element implementation in Mozilla Firefox before 25.0, Firefox ESR 24.x before 24.1, Thunderbird before 24.1, and SeaMonkey before 2.22 does not properly restrict the nature or placement of HTML within a dropdown menu, which allows remote attackers to spoof the address bar or conduct clickjacking attacks via vectors that trigger navigation off of a page containing this element.
References (6)
Core 6
Core References
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00005.html
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201504-01
Third Party Advisory, VDB Entry vdb-entry
signature
x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19263
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00006.html
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=868327
Vendor Advisory x_refsource_confirm
http://www.mozilla.org/security/announce/2013/mfsa2013-94.html
Scores
EPSS
0.0199
EPSS Percentile
78.3%
Details
CWE
CWE-20
Status
published
Products (32)
mozilla/firefox
24.0
mozilla/firefox
24.0.1
mozilla/firefox
24.0.2
mozilla/firefox
19.0
mozilla/firefox
19.0.1
mozilla/firefox
19.0.2
mozilla/firefox
20.0
mozilla/firefox
20.0.1
mozilla/firefox
21.0
mozilla/firefox
22.0
... and 22 more
Published
Oct 30, 2013
Tracked Since
Feb 18, 2026