CVE-2013-5598 : PDF.js in Mozilla Firefox before 25.0 and Firefox ESR 24.x before 24.1 does not properly handle the appending of an IFRA

PDF.js in Mozilla Firefox before 25.0 and Firefox ESR 24.x before 24.1 does not properly handle the appending of an IFRAME element, which allows remote attackers to read arbitrary files or execute arbitrary JavaScript code with chrome privileges by using this element within an embedded PDF object.

Published 2013-10-30 10:55:05

Updated 2017-09-19 01:36:49

Source Mozilla Corporation

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2013-5598

Probability of exploitation activity in the next 30 days: 1.15%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 83 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2013-5598

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
8.3	HIGH	AV:N/AC:M/Au:N/C:C/I:P/A:P	8.6	8.5	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Partial Availability Impact: Partial

CWE ids for CVE-2013-5598

CWE-264

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-5598

http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00006.html

[security-announce] openSUSE-SU-2013:1634-1: important: Mozilla updates

CVEs referencing this url
https://bugzilla.mozilla.org/show_bug.cgi?id=920515

920515 - (CVE-2013-5598) pdf.js iframe injection allows sites to load local files or even chrome privileged pages into an iframe
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19133

Repository / Oval Repository
https://security.gentoo.org/glsa/201504-01

Mozilla Products: Multiple vulnerabilities (GLSA 201504-01) — Gentoo security

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00005.html

[security-announce] openSUSE-SU-2013:1633-1: important: Mozilla Suite: U

CVEs referencing this url
http://www.mozilla.org/security/announce/2013/mfsa2013-99.html

Security bypass of PDF.js checks using iframes — Mozilla
Vendor Advisory

Products affected by CVE-2013-5598

Mozilla » Firefox
Versions up to, including, (<=) 24.0
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox » Version: 19.0
cpe:2.3:a:mozilla:firefox:19.0:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox » Version: 19.0.1
cpe:2.3:a:mozilla:firefox:19.0.1:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox » Version: 19.0.2
cpe:2.3:a:mozilla:firefox:19.0.2:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox » Version: 20.0
cpe:2.3:a:mozilla:firefox:20.0:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox » Version: 20.0.1
cpe:2.3:a:mozilla:firefox:20.0.1:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox » Version: 21.0
cpe:2.3:a:mozilla:firefox:21.0:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox » Version: 22.0
cpe:2.3:a:mozilla:firefox:22.0:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox » Version: 23.0
cpe:2.3:a:mozilla:firefox:23.0:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox » Version: 23.0.1
cpe:2.3:a:mozilla:firefox:23.0.1:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox Esr » Version: 24.0.1
cpe:2.3:a:mozilla:firefox_esr:24.0.1:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox Esr » Version: 24.0.2
cpe:2.3:a:mozilla:firefox_esr:24.0.2:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox Esr » Version: 24.0
cpe:2.3:a:mozilla:firefox_esr:24.0:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2013-5598

Exploit prediction scoring system (EPSS) score for CVE-2013-5598

CVSS scores for CVE-2013-5598

CWE ids for CVE-2013-5598

References for CVE-2013-5598

Products affected by CVE-2013-5598