CVE-2013-1730

NameCVE-2013-1730
DescriptionMozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 do not properly handle movement of XBL-backed nodes between documents, which allows remote attackers to execute arbitrary code or cause a denial of service (JavaScript compartment mismatch, or assertion failure and application exit) via a crafted web site.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
ReferencesDSA-2759-1, DSA-2762-1
NVD severitymedium (attack range: remote)
Debian/oldstablepackages icedove, iceweasel are vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
iceape (PTS)squeeze (security)2.0.11-17vulnerable
icedove (PTS)squeeze (security), squeeze3.0.11-1+squeeze15vulnerable
wheezy31.3.0-1~deb7u1fixed
wheezy (security)31.4.0-1~deb7u1fixed
jessie, sid31.4.0-2fixed
iceweasel (PTS)squeeze (security), squeeze3.5.16-20vulnerable
wheezy31.3.0esr-1~deb7u1fixed
wheezy (security)31.5.0esr-1~deb7u1fixed
jessie31.4.0esr-1fixed
sid31.5.0esr-1fixed

The information above is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
iceapesource(unstable)(unfixed)medium
iceapesourcesqueeze(unfixed)end-of-life
iceapesourcewheezy(unfixed)end-of-life
icedovesource(unstable)17.0.9-1medium
icedovesourcesqueeze(unfixed)end-of-life
icedovesourcewheezy17.0.9-1~deb7u1mediumDSA-2762-1
iceweaselsource(unstable)24.0-1medium
iceweaselsourcesqueeze(unfixed)end-of-life
iceweaselsourcewheezy17.0.9esr-1~deb7u1mediumDSA-2759-1

Search for package or bug name: Reporting problems