CVE-2013-1695 - OpenCVE

Mozilla Firefox before 22.0 does not properly implement certain DocShell inheritance behavior for the sandbox attribute of an IFRAME element, which allows remote attackers to bypass intended access restrictions via a FRAME element within an IFRAME element.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Mozilla	Firefox

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox::::::::
	cpe:2.3:a:mozilla:firefox:19.0:::::::*
	cpe:2.3:a:mozilla:firefox:19.0.1:::::::*
	cpe:2.3:a:mozilla:firefox:19.0.2:::::::*
	cpe:2.3:a:mozilla:firefox:20.0:::::::*
	cpe:2.3:a:mozilla:firefox:20.0.1:::::::*

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00003.html
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00005.html
http://www.mozilla.org/security/announce/2013/mfsa2013-57.html	Vendor Advisory
http://www.ubuntu.com/usn/USN-1890-1
https://bugzilla.mozilla.org/show_bug.cgi?id=849791
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16433

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mozilla

Published: 2013-06-26T01:00:00

Updated: 2017-09-18T12:57:01

Reserved: 2013-02-13T00:00:00

Link: CVE-2013-1695

JSON object: View

NVD Information

Status : Modified

Published: 2013-06-26T03:19:10.863

Modified: 2017-09-19T01:36:11.263

Link: CVE-2013-1695

JSON object: View

Redhat Information

No data.

CWE

CWE-264

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-06-25T00:00:00", "descriptions": [{"lang": "en", "value": "Mozilla Firefox before 22.0 does not properly implement certain DocShell inheritance behavior for the sandbox attribute of an IFRAME element, which allows remote attackers to bypass intended access restrictions via a FRAME element within an IFRAME element."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-18T12:57:01", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla"}, "references": [{"name": "USN-1890-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-1890-1"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.mozilla.org/security/announce/2013/mfsa2013-57.html"}, {"name": "oval:org.mitre.oval:def:16433", "tags": ["vdb-entry", "signature", "x_refsource_OVAL"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16433"}, {"name": "openSUSE-SU-2013:1142", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00005.html"}, {"name": "openSUSE-SU-2013:1140", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00003.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=849791"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@mozilla.org", "ID": "CVE-2013-1695", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Mozilla Firefox before 22.0 does not properly implement certain DocShell inheritance behavior for the sandbox attribute of an IFRAME element, which allows remote attackers to bypass intended access restrictions via a FRAME element within an IFRAME element."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "USN-1890-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-1890-1"}, {"name": "http://www.mozilla.org/security/announce/2013/mfsa2013-57.html", "refsource": "CONFIRM", "url": "http://www.mozilla.org/security/announce/2013/mfsa2013-57.html"}, {"name": "oval:org.mitre.oval:def:16433", "refsource": "OVAL", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16433"}, {"name": "openSUSE-SU-2013:1142", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00005.html"}, {"name": "openSUSE-SU-2013:1140", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00003.html"}, {"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=849791", "refsource": "CONFIRM", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=849791"}]}}}}, "cveMetadata": {"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2013-1695", "datePublished": "2013-06-26T01:00:00", "dateReserved": "2013-02-13T00:00:00", "dateUpdated": "2017-09-18T12:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "29071754-CC8F-42D9-82D4-140236802506", "versionEndIncluding": "21.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:19.0:*:*:*:*:*:*:*", "matchCriteriaId": "06FF9DFE-491D-4260-8A49-07FD342B9412", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:19.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "DE09D089-7F48-466B-B03A-C64152A12615", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:19.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "653D73DA-21C0-4C3F-9269-5A6D5C5B1E34", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:20.0:*:*:*:*:*:*:*", "matchCriteriaId": "804A0ACE-EB28-413D-93F4-E849FEA01390", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:20.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "3BA49C6F-9115-41A5-BBDE-743CB9DEDDA8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Mozilla Firefox before 22.0 does not properly implement certain DocShell inheritance behavior for the sandbox attribute of an IFRAME element, which allows remote attackers to bypass intended access restrictions via a FRAME element within an IFRAME element."}, {"lang": "es", "value": "Mozilla Firefox antes de v22.0 no implementea correctamente cierto comportamiento DocShell para el atributo sandbox de un elemento IFRAME, lo que permite a atacantes remotos burlar las restricciones de acceso a trav\u00e9s de un elemento FRAME dentro de un elemento IFRAME"}], "id": "CVE-2013-1695", "lastModified": "2017-09-19T01:36:11.263", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-06-26T03:19:10.863", "references": [{"source": "security@mozilla.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00003.html"}, {"source": "security@mozilla.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00005.html"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "http://www.mozilla.org/security/announce/2013/mfsa2013-57.html"}, {"source": "security@mozilla.org", "url": "http://www.ubuntu.com/usn/USN-1890-1"}, {"source": "security@mozilla.org", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=849791"}, {"source": "security@mozilla.org", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16433"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}