CVE-2013-6674

SeaMonkey < 2.20 - Cross-Site Scripting via Data URL in IFRAME

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-6674. PoCs published by Vulnerability-Lab.

AI-analyzed exploit summary This exploit demonstrates a filter bypass vulnerability in Mozilla Thunderbird 17.0.6, allowing remote attackers to inject persistent script code via base64-encoded payloads within the <object> tag. The exploit triggers when the victim replies or forwards the malicious email.

Description

Cross-site scripting (XSS) vulnerability in Mozilla Thunderbird 17.x through 17.0.8, Thunderbird ESR 17.x through 17.0.10, and SeaMonkey before 2.20 allows user-assisted remote attackers to inject arbitrary web script or HTML via an e-mail message containing a data: URL in an IFRAME element, a related issue to CVE-2014-2018.

Exploits (1)

exploitdb WORKING POC

by Vulnerability-Lab · textdosmultiple

https://www.exploit-db.com/exploits/31223

View Code ZIP pw:eip

This exploit demonstrates a filter bypass vulnerability in Mozilla Thunderbird 17.0.6, allowing remote attackers to inject persistent script code via base64-encoded payloads within the <object> tag. The exploit triggers when the victim replies or forwards the malicious email.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Mozilla Thunderbird 17.0.6

No auth needed

Prerequisites: Victim must open the malicious email and click 'Reply' or 'Forward'

MITRE ATT&CK