CVE-2013-1690
Last modified
CVE-2013-1690 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not properly handle onreadystatechange events in conjunction with page reloading, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted web site that triggers an attempt to execute data at an unmapped memory location.. CISA has confirmed active exploitation in the wild. EPSS estimates a 69.24% chance of exploitation in the next 30 days.
Description
Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not properly handle onreadystatechange events in conjunction with page reloading, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted web site that triggers an attempt to execute data at an unmapped memory location.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Exploitation Status
This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by .
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Mozilla | Firefox | < 22.0 | — |
| Mozilla | Firefox | >= 17.0, < 17.0.7 | — |
| Mozilla | Thunderbird | < 17.0.7 | — |
| Mozilla | Thunderbird Esr | >= 17.0, < 17.0.7 | — |
| Canonical | Ubuntu Linux | 12.04 | — |
| Canonical | Ubuntu Linux | 12.10 | — |
| Canonical | Ubuntu Linux | 13.04 | — |
| Debian | Debian Linux | 7.0 | — |
| Redhat | Gluster Storage Server For On-Premise | 2.0 | — |
| Redhat | Enterprise Linux Desktop | 5.0 | — |
| Redhat | Enterprise Linux Desktop | 6.0 | — |
| Redhat | Enterprise Linux Eus | 5.9 | — |
| Redhat | Enterprise Linux Eus | 6.4 | — |
| Redhat | Enterprise Linux Server | 5.0 | — |
| Redhat | Enterprise Linux Server | 6.0 | — |
| Redhat | Enterprise Linux Server Aus | 5.9 | — |
| Redhat | Enterprise Linux Server Aus | 6.4 | — |
| Redhat | Enterprise Linux Workstation | 5.0 | — |
| Redhat | Enterprise Linux Workstation | 6.0 | — |
| Opensuse | Opensuse | 11.4 | — |
| Opensuse | Opensuse | 12.2 | — |
| Opensuse | Opensuse | 12.3 | — |
| Suse | Linux Enterprise Desktop | 10 | Sp4 |
| Suse | Linux Enterprise Desktop | 11 | Sp2 |
| Suse | Linux Enterprise Server | 10 | Sp4 |
| Suse | Linux Enterprise Server | 11 | Sp1 |
| Suse | Linux Enterprise Software Development Kit | 10 | Sp4 |
| Suse | Linux Enterprise Software Development Kit | 11 | Sp3 |
References
- http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00003.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00004.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00005.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00006.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00010.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00011.htmlMailing List, Third Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-0981.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-0982.htmlThird Party Advisory
- http://www.debian.org/security/2013/dsa-2716Mailing List, Third Party Advisory
- http://www.debian.org/security/2013/dsa-2720Mailing List, Third Party Advisory
- http://www.securityfocus.com/bid/60778Broken Link, Third Party Advisory, VDB Entry
- http://www.ubuntu.com/usn/USN-1890-1Third Party Advisory
- http://www.ubuntu.com/usn/USN-1891-1Third Party Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=857883Issue Tracking
- https://bugzilla.mozilla.org/show_bug.cgi?id=901365Issue Tracking
- http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00003.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00004.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00005.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00006.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00010.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00011.htmlMailing List, Third Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-0981.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-0982.htmlThird Party Advisory
- http://www.debian.org/security/2013/dsa-2716Mailing List, Third Party Advisory
- http://www.debian.org/security/2013/dsa-2720Mailing List, Third Party Advisory
- http://www.securityfocus.com/bid/60778Broken Link, Third Party Advisory, VDB Entry
- http://www.ubuntu.com/usn/USN-1890-1Third Party Advisory
- http://www.ubuntu.com/usn/USN-1891-1Third Party Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=857883Issue Tracking
- https://bugzilla.mozilla.org/show_bug.cgi?id=901365Issue Tracking
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-1690US Government Resource
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2013-1690?
How severe is CVE-2013-1690?
How do I fix CVE-2013-1690?
Are you affected by CVE-2013-1690?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST