CVE-2013-1675

high-risk

Published 2013-05-16

Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 do not properly initialize data structures for the nsDOMSVGZoomEvent::mPreviousScale and nsDOMSVGZoomEvent::mNewScale functions, which allows remote attackers to obtain sensitive information from process memory via a crafted web site.

Do I need to act?

4.7% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

CISA KEV: actively exploited in the wild

On the Known Exploited Vulnerabilities catalog — federal agencies must patch

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (20)

Firefox

Thunderbird

Ubuntu Linux

Debian Linux

Gluster Storage Server For On-Premise

Enterprise Linux Desktop

Enterprise Linux Eus

Enterprise Linux For Ibm Z Systems

Enterprise Linux For Ibm Z Systems Eus

Enterprise Linux For Power Big Endian

Enterprise Linux For Power Big Endian Eus

Enterprise Linux For Scientific Computing

Enterprise Linux Server

Enterprise Linux Server Aus

Enterprise Linux Server Eus From Rhui

Enterprise Linux Workstation

Opensuse

Thunderbird Esr

Ubuntu Linux

Affected Vendors

Redhat Mozilla Canonical Opensuse Debian

References (31)

Mailing List http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00010.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00011.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00012.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00006.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00008.html

Third Party Advisory http://rhn.redhat.com/errata/RHSA-2013-0820.html

Third Party Advisory http://rhn.redhat.com/errata/RHSA-2013-0821.html

Mailing List http://www.debian.org/security/2013/dsa-2699

Broken Link http://www.mandriva.com/security/advisories?name=MDVSA-2013:165

Vendor Advisory http://www.mozilla.org/security/announce/2013/mfsa2013-47.html

Broken Link http://www.securityfocus.com/bid/59858

Third Party Advisory http://www.ubuntu.com/usn/USN-1822-1

Third Party Advisory http://www.ubuntu.com/usn/USN-1823-1

Exploit https://bugzilla.mozilla.org/show_bug.cgi?id=866825

Broken Link https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3...

Mailing List http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00010.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00011.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00012.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00006.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00008.html

and 11 more references

/ 100

high-risk

Severity 24/34 · High

Exploitability 15/34 · Moderate

Exposure 23/34 · High