CVE-2013-0747: Input Validation
First published: Sun Jan 13 2013(Updated: )
The gPluginHandler.handleEvent function in the plugin handler in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 17.x before 17.0.2, and SeaMonkey before 2.15 does not properly enforce the Same Origin Policy, which allows remote attackers to conduct clickjacking attacks via crafted JavaScript code that listens for a mutation event.
Credit: security@mozilla.org security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Firefox | <17.0.2 | |
| Firefox | <18.0 | |
| Mozilla SeaMonkey | <2.15 | |
| Thunderbird | <17.0.2 | |
| Mozilla Thunderbird | <17.0.2 | |
| openSUSE | =11.4 | |
| openSUSE | =12.1 | |
| openSUSE | =12.2 | |
| SUSE Linux Enterprise Desktop | =10-sp4 | |
| SUSE Linux Enterprise Desktop | =11-sp2 | |
| SUSE Linux Enterprise Server | =10-sp4 | |
| SUSE Linux Enterprise Server | =11-sp2 | |
| SUSE Linux Enterprise Server | =11-sp2 | |
| SUSE Linux Enterprise Software Development Kit | =10-sp4 | |
| SUSE Linux Enterprise Software Development Kit | =11-sp2 | |
| Ubuntu | =10.04 | |
| Ubuntu | =11.10 | |
| Ubuntu | =12.04 | |
| Ubuntu | =12.10 | |
| Firefox ESR | <17.0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00007.html
- http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00010.html
- http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00017.html
- http://www.mozilla.org/security/announce/2013/mfsa2013-10.html
- http://www.ubuntu.com/usn/USN-1681-1
- http://www.ubuntu.com/usn/USN-1681-2
- http://www.ubuntu.com/usn/USN-1681-4
- https://bugzilla.mozilla.org/show_bug.cgi?id=733305
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16866
Frequently Asked Questions
What is the severity of CVE-2013-0747?
CVE-2013-0747 is classified as a high severity vulnerability due to its potential impact on the Same Origin Policy enforcement.
How do I fix CVE-2013-0747?
To fix CVE-2013-0747, users should update to the latest version of Mozilla Firefox, Firefox ESR, Thunderbird, Thunderbird ESR, or SeaMonkey.
Which software is affected by CVE-2013-0747?
CVE-2013-0747 affects Mozilla Firefox versions prior to 18.0, Firefox ESR 17.x before 17.0.2, Thunderbird before 17.0.2, and other related software.
Is CVE-2013-0747 exploitable by remote attackers?
Yes, CVE-2013-0747 allows remote attackers to exploit the vulnerability to bypass the Same Origin Policy.
Can outdated versions of openSUSE be affected by CVE-2013-0747?
Yes, versions of openSUSE prior to 11.4 and certain SUSE Linux distributions may be at risk from CVE-2013-0747.
- agent/references
- agent/type
- agent/weakness
- agent/severity
- agent/remedy
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/first-publish-date
- agent/event
- agent/last-modified-date
- agent/author
- agent/source
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- vendor/mozilla
- canonical/firefox
- canonical/mozilla seamonkey
- canonical/thunderbird
- canonical/mozilla thunderbird
- vendor/opensuse
- canonical/opensuse
- version/opensuse/11.4
- version/opensuse/12.1
- version/opensuse/12.2
- vendor/suse
- canonical/suse linux enterprise desktop
- version/suse linux enterprise desktop/10-sp4
- version/suse linux enterprise desktop/11-sp2
- canonical/suse linux enterprise server
- version/suse linux enterprise server/10-sp4
- version/suse linux enterprise server/11-sp2
- canonical/suse linux enterprise software development kit
- version/suse linux enterprise software development kit/10-sp4
- version/suse linux enterprise software development kit/11-sp2
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/10.04
- version/ubuntu/11.10
- version/ubuntu/12.04
- version/ubuntu/12.10
- canonical/firefox esr