Unrated severityNVD Advisory· Published Jun 26, 2013· Updated Jun 16, 2026
CVE-2013-1697
CVE-2013-1697
Description
The XrayWrapper implementation in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 does not properly restrict use of DefaultValue for method calls, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges via a crafted web site that triggers use of a user-defined (1) toString or (2) valueOf method.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
32cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*+ 13 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*range: <=21.0
- cpe:2.3:a:mozilla:firefox:17.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:17.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:17.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:17.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:17.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:17.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:17.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:19.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:19.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:19.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:20.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:20.0.1:*:*:*:*:*:*:*
- (no CPE)range: <22.0
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*+ 14 more
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*range: <=17.0.6
- cpe:2.3:a:mozilla:thunderbird:17.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:17.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:17.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:17.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:17.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:17.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird_esr:17.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird_esr:17.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird_esr:17.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird_esr:17.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird_esr:17.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird_esr:17.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird_esr:17.0.6:*:*:*:*:*:*:*
- (no CPE)range: <17.0.7
- osv-coords3 versionspkg:rpm/opensuse/firefox-esr&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/MozillaFirefox&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Tumbleweed
< 128.5.1-1.1+ 2 more
- (no CPE)range: < 128.5.1-1.1
- (no CPE)range: < 50.1.0-1.1
- (no CPE)range: < 45.5.1-1.1
Patches
Vulnerability mechanics
References
16- www.mozilla.org/security/announce/2013/mfsa2013-59.htmlnvdVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2013-07/msg00003.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2013-07/msg00004.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2013-07/msg00005.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2013-07/msg00006.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2013-07/msg00010.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2013-07/msg00011.htmlnvd
- rhn.redhat.com/errata/RHSA-2013-0981.htmlnvd
- rhn.redhat.com/errata/RHSA-2013-0982.htmlnvd
- www.debian.org/security/2013/dsa-2716nvd
- www.debian.org/security/2013/dsa-2720nvd
- www.securityfocus.com/bid/60784nvd
- www.ubuntu.com/usn/USN-1890-1nvd
- www.ubuntu.com/usn/USN-1891-1nvd
- bugzilla.mozilla.org/show_bug.cginvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17243nvd
News mentions
0No linked articles in our index yet.