CVE-2013-0748: Infoleak
First published: Sun Jan 13 2013(Updated: )
The XBL.__proto__.toString implementation in Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 10.x before 10.0.12 and 17.x before 17.0.2, and SeaMonkey before 2.15 makes it easier for remote attackers to bypass the ASLR protection mechanism by calling the toString function of an XBL object.
Credit: security@mozilla.org security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Firefox | <18.0 | |
| Firefox | >=10.0<10.0.12 | |
| Firefox | >=17.0<17.0.2 | |
| Mozilla SeaMonkey | <2.15 | |
| Thunderbird | <17.0.2 | |
| Mozilla Thunderbird | >=10.0<10.0.12 | |
| Mozilla Thunderbird | >=17.0<17.0.2 | |
| SUSE Linux | =11.4 | |
| SUSE Linux | =12.1 | |
| SUSE Linux | =12.2 | |
| SUSE Linux Enterprise Desktop | =10-sp4 | |
| SUSE Linux Enterprise Desktop | =11-sp2 | |
| SUSE Linux Enterprise Server | =10-sp4 | |
| SUSE Linux Enterprise Server | =11-sp2 | |
| SUSE Linux Enterprise Server | =11-sp2 | |
| SUSE Linux Enterprise Software Development Kit | =10-sp4 | |
| SUSE Linux Enterprise Software Development Kit | =11-sp2 | |
| Red Hat Enterprise Linux Desktop | =5.0 | |
| Red Hat Enterprise Linux Desktop | =6.0 | |
| Red Hat Enterprise Linux Server EUS | =5.9 | |
| Red Hat Enterprise Linux Server EUS | =6.3 | |
| Red Hat Enterprise Linux Server | =5.0 | |
| Red Hat Enterprise Linux Server | =6.0 | |
| Red Hat Enterprise Linux Server | =5.9 | |
| Red Hat Enterprise Linux Workstation | =5.0 | |
| Red Hat Enterprise Linux Workstation | =6.0 | |
| Ubuntu | =10.04 | |
| Ubuntu | =11.10 | |
| Ubuntu | =12.04 | |
| Ubuntu | =12.10 | |
| Firefox ESR | >=10.0<10.0.12 | |
| Firefox ESR | >=17.0<17.0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00007.html
- http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00010.html
- http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00017.html
- http://rhn.redhat.com/errata/RHSA-2013-0144.html
- http://rhn.redhat.com/errata/RHSA-2013-0145.html
- http://www.mozilla.org/security/announce/2013/mfsa2013-11.html
- http://www.ubuntu.com/usn/USN-1681-1
- http://www.ubuntu.com/usn/USN-1681-2
- http://www.ubuntu.com/usn/USN-1681-4
- https://bugzilla.mozilla.org/show_bug.cgi?id=806031
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17109
Frequently Asked Questions
What is the severity of CVE-2013-0748?
The severity of CVE-2013-0748 is classified as moderate, as it can potentially allow remote attackers to bypass Address Space Layout Randomization (ASLR).
Which versions of Mozilla Firefox are affected by CVE-2013-0748?
CVE-2013-0748 affects Mozilla Firefox versions before 18.0 and specific ESR versions before 10.0.12 and 17.0.2.
How do I fix CVE-2013-0748?
To fix CVE-2013-0748, users should update their Mozilla Firefox, Thunderbird, or SeaMonkey to the latest version available.
Is CVE-2013-0748 affecting any other software?
Yes, CVE-2013-0748 also affects specific versions of Mozilla Thunderbird, SeaMonkey, and some versions of openSUSE and Red Hat Enterprise Linux.
What type of vulnerability is CVE-2013-0748?
CVE-2013-0748 is a security vulnerability that makes it easier for remote attackers to exploit memory corruption and bypass ASLR.
- agent/type
- agent/references
- agent/severity
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/first-publish-date
- agent/event
- agent/last-modified-date
- agent/author
- agent/source
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- vendor/mozilla
- canonical/firefox
- version/firefox/10.0
- version/firefox/17.0
- canonical/mozilla seamonkey
- canonical/thunderbird
- canonical/mozilla thunderbird
- version/mozilla thunderbird/10.0
- version/mozilla thunderbird/17.0
- vendor/opensuse
- canonical/suse linux
- version/suse linux/11.4
- version/suse linux/12.1
- version/suse linux/12.2
- vendor/suse
- canonical/suse linux enterprise desktop
- version/suse linux enterprise desktop/10-sp4
- version/suse linux enterprise desktop/11-sp2
- canonical/suse linux enterprise server
- version/suse linux enterprise server/10-sp4
- version/suse linux enterprise server/11-sp2
- canonical/suse linux enterprise software development kit
- version/suse linux enterprise software development kit/10-sp4
- version/suse linux enterprise software development kit/11-sp2
- vendor/redhat
- canonical/red hat enterprise linux desktop
- version/red hat enterprise linux desktop/5.0
- version/red hat enterprise linux desktop/6.0
- canonical/red hat enterprise linux server eus
- version/red hat enterprise linux server eus/5.9
- version/red hat enterprise linux server eus/6.3
- canonical/red hat enterprise linux server
- version/red hat enterprise linux server/5.0
- version/red hat enterprise linux server/6.0
- version/red hat enterprise linux server/5.9
- canonical/red hat enterprise linux workstation
- version/red hat enterprise linux workstation/5.0
- version/red hat enterprise linux workstation/6.0
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/10.04
- version/ubuntu/11.10
- version/ubuntu/12.04
- version/ubuntu/12.10
- canonical/firefox esr
- version/firefox esr/10.0
- version/firefox esr/17.0