VulnerableCode Package Details - pkg:mozilla/Firefox@22.0.0

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-1y3r-cus3-nkc6	Mozilla engineer Matt Wobensmith discovered that when the getUserMedia permission dialog for an iframe appears in one domain, it will display its origin as that of the top-level document and not the calling framed page. This could lead to users incorrectly giving camera or microphone permissions when confusing the requesting page's location for a hosting one's.	CVE-2013-1698
VCID-5kk1-af3t-5qdd	Multiple vulnerabilities have been found in Mozilla Firefox, Thunderbird, and SeaMonkey, some of which may allow a remote user to execute arbitrary code.	CVE-2013-1690
VCID-5swu-e3xk-7bfx	Multiple vulnerabilities have been found in Mozilla Firefox, Thunderbird, and SeaMonkey, some of which may allow a remote user to execute arbitrary code.	CVE-2013-1692
VCID-946h-9dya-zyg7	Multiple vulnerabilities have been found in Mozilla Firefox, Thunderbird, and SeaMonkey, some of which may allow a remote user to execute arbitrary code.	CVE-2013-1682
VCID-fw25-a686-eqhx	Multiple vulnerabilities have been found in Mozilla Firefox, Thunderbird, and SeaMonkey, some of which may allow a remote user to execute arbitrary code.	CVE-2013-1697
VCID-j5wk-5thk-ckfr	Multiple vulnerabilities have been found in Mozilla Firefox, Thunderbird, and SeaMonkey, some of which may allow a remote user to execute arbitrary code.	CVE-2013-1687
VCID-pden-es6n-nfey	Security researcher 3ric Johanson reported in discussions with Richard Newman and Holt Sorenson that Verisign's prevention measures for homograph attacks using Internationalized Domain Names (IDN) were insufficiently rigorous, and this led to a limited possibility for domain spoofing in Firefox.IDN allows non-English speakers to use domains in their local language. Many supported characters are similar or identical to others in English, allowing for the potential spoofing of domain names and for phishing attacks when not blocked. In consultation with Verisign, Mozilla had added .com, .net, and .name top-level domains to its IDN whitelist, allowing for IDN use in those top-level domains without restrictions. However, it became clear that a number of historical dangerous registrations continued to be valid.This issue has been fixed by removing the .com, .net, and .name top-level domains from the IDN whitelist, and supplementing the whitelist implementation with technical restrictions against script-mixing in domain labels. These restrictions apply to all non-whitelisted top-level domains. More information on the exact algorithm used can be found here.	CVE-2013-1699
VCID-tqp2-yvuv-5ygs	Multiple vulnerabilities have been found in Mozilla Firefox, Thunderbird, and SeaMonkey, some of which may allow a remote user to execute arbitrary code.	CVE-2013-1684
VCID-wcpv-beb3-kbgz	Security researcher Seb Patane reported an issue with the Mozilla Maintenance Service on Windows. He discovered that when the Mozilla Updater executable was inaccessible, the Maintenance Service will behave incorrectly and can be made to use an updater at an arbitrary location. This updater will run with the system privileges used by the Maintenance Service, allowing for local privilege escalation. Local file system access is necessary in order for this issue to be exploitable and it cannot be triggered through web content.	CVE-2013-1700
VCID-yabd-5zcy-zbem	Mozilla community member Bob Owen reported that <iframe sandbox> restrictions are not applied to a frame element contained within a sandboxed iframe. As a result, content hosted within a sandboxed iframe could use a frame element to bypass the restrictions that should be applied.	CVE-2013-1695
VCID-ye96-58tj-dqhk	Security researcher Mariusz Mlynski reported that when a user examines the profiler output on a malicious website containing specially crafted code, it is possible for arbitrary code execution to occur. This occurs because the profiler user interface runs in a special iframe that parses data from the profiler to render the UI, leaving it susceptible to manipulation.	CVE-2013-1688
VCID-yrvg-tnxb-akgc	Multiple vulnerabilities have been found in Mozilla Firefox, Thunderbird, and SeaMonkey, some of which may allow a remote user to execute arbitrary code.	CVE-2013-1693
VCID-z455-pxya-jyej	Bugzilla developer Frédéric Buclin reported that the X-Frame-Options header is ignored when server push is used in multi-part responses. This can lead to potential clickjacking on sites that use X-Frame-Options as a protection.	CVE-2013-1696
VCID-zscp-wft5-f3ae	Multiple vulnerabilities have been found in Mozilla Firefox, Thunderbird, and SeaMonkey, some of which may allow a remote user to execute arbitrary code.	CVE-2013-1694

Vulnerability

Summary

Aliases

VCID-1y3r-cus3-nkc6

Mozilla engineer Matt Wobensmith discovered that when the getUserMedia permission dialog for an iframe appears in one domain, it will display its origin as that of the top-level document and not the calling framed page. This could lead to users incorrectly giving camera or microphone permissions when confusing the requesting page's location for a hosting one's.

CVE-2013-1698

VCID-5kk1-af3t-5qdd

Multiple vulnerabilities have been found in Mozilla Firefox, Thunderbird, and SeaMonkey, some of which may allow a remote user to execute arbitrary code.

CVE-2013-1690

VCID-5swu-e3xk-7bfx

Multiple vulnerabilities have been found in Mozilla Firefox, Thunderbird, and SeaMonkey, some of which may allow a remote user to execute arbitrary code.

CVE-2013-1692

VCID-946h-9dya-zyg7

Multiple vulnerabilities have been found in Mozilla Firefox, Thunderbird, and SeaMonkey, some of which may allow a remote user to execute arbitrary code.

CVE-2013-1682

VCID-fw25-a686-eqhx

Multiple vulnerabilities have been found in Mozilla Firefox, Thunderbird, and SeaMonkey, some of which may allow a remote user to execute arbitrary code.

CVE-2013-1697

VCID-j5wk-5thk-ckfr

Multiple vulnerabilities have been found in Mozilla Firefox, Thunderbird, and SeaMonkey, some of which may allow a remote user to execute arbitrary code.

CVE-2013-1687

VCID-pden-es6n-nfey

Security researcher 3ric Johanson reported in discussions with Richard Newman and Holt Sorenson that Verisign's prevention measures for homograph attacks using Internationalized Domain Names (IDN) were insufficiently rigorous, and this led to a limited possibility for domain spoofing in Firefox.IDN allows non-English speakers to use domains in their local language. Many supported characters are similar or identical to others in English, allowing for the potential spoofing of domain names and for phishing attacks when not blocked. In consultation with Verisign, Mozilla had added .com, .net, and .name top-level domains to its IDN whitelist, allowing for IDN use in those top-level domains without restrictions. However, it became clear that a number of historical dangerous registrations continued to be valid.This issue has been fixed by removing the .com, .net, and .name top-level domains from the IDN whitelist, and supplementing the whitelist implementation with technical restrictions against script-mixing in domain labels. These restrictions apply to all non-whitelisted top-level domains. More information on the exact algorithm used can be found here.

CVE-2013-1699

VCID-tqp2-yvuv-5ygs

Multiple vulnerabilities have been found in Mozilla Firefox, Thunderbird, and SeaMonkey, some of which may allow a remote user to execute arbitrary code.

CVE-2013-1684

VCID-wcpv-beb3-kbgz

Security researcher Seb Patane reported an issue with the Mozilla Maintenance Service on Windows. He discovered that when the Mozilla Updater executable was inaccessible, the Maintenance Service will behave incorrectly and can be made to use an updater at an arbitrary location. This updater will run with the system privileges used by the Maintenance Service, allowing for local privilege escalation. Local file system access is necessary in order for this issue to be exploitable and it cannot be triggered through web content.

CVE-2013-1700

VCID-yabd-5zcy-zbem

Mozilla community member Bob Owen reported that <iframe sandbox> restrictions are not applied to a frame element contained within a sandboxed iframe. As a result, content hosted within a sandboxed iframe could use a frame element to bypass the restrictions that should be applied.

CVE-2013-1695

VCID-ye96-58tj-dqhk

Security researcher Mariusz Mlynski reported that when a user examines the profiler output on a malicious website containing specially crafted code, it is possible for arbitrary code execution to occur. This occurs because the profiler user interface runs in a special iframe that parses data from the profiler to render the UI, leaving it susceptible to manipulation.

CVE-2013-1688

VCID-yrvg-tnxb-akgc

Multiple vulnerabilities have been found in Mozilla Firefox, Thunderbird, and SeaMonkey, some of which may allow a remote user to execute arbitrary code.

CVE-2013-1693

VCID-z455-pxya-jyej

Bugzilla developer Frédéric Buclin reported that the X-Frame-Options header is ignored when server push is used in multi-part responses. This can lead to potential clickjacking on sites that use X-Frame-Options as a protection.

CVE-2013-1696

VCID-zscp-wft5-f3ae

Multiple vulnerabilities have been found in Mozilla Firefox, Thunderbird, and SeaMonkey, some of which may allow a remote user to execute arbitrary code.

CVE-2013-1694

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:17:42.455130+00:00	Mozilla Importer	Fixing	VCID-1y3r-cus3-nkc6	https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2013/mfsa2013-60.md	38.0.0
2026-04-01T13:17:41.998406+00:00	Mozilla Importer	Fixing	VCID-ye96-58tj-dqhk	https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2013/mfsa2013-52.md	38.0.0
2026-04-01T13:17:41.696165+00:00	Mozilla Importer	Fixing	VCID-5swu-e3xk-7bfx	https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2013/mfsa2013-54.md	38.0.0
2026-04-01T13:17:40.270255+00:00	Mozilla Importer	Fixing	VCID-yabd-5zcy-zbem	https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2013/mfsa2013-57.md	38.0.0
2026-04-01T13:17:37.956445+00:00	Mozilla Importer	Fixing	VCID-yrvg-tnxb-akgc	https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2013/mfsa2013-55.md	38.0.0
2026-04-01T13:17:37.240426+00:00	Mozilla Importer	Fixing	VCID-946h-9dya-zyg7	https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2013/mfsa2013-49.md	38.0.0
2026-04-01T13:17:37.126603+00:00	Mozilla Importer	Fixing	VCID-z455-pxya-jyej	https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2013/mfsa2013-58.md	38.0.0
2026-04-01T13:17:35.720751+00:00	Mozilla Importer	Fixing	VCID-fw25-a686-eqhx	https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2013/mfsa2013-59.md	38.0.0
2026-04-01T13:17:35.684138+00:00	Mozilla Importer	Fixing	VCID-wcpv-beb3-kbgz	https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2013/mfsa2013-62.md	38.0.0
2026-04-01T13:17:35.370203+00:00	Mozilla Importer	Fixing	VCID-zscp-wft5-f3ae	https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2013/mfsa2013-56.md	38.0.0
2026-04-01T13:17:34.706083+00:00	Mozilla Importer	Fixing	VCID-5kk1-af3t-5qdd	https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2013/mfsa2013-53.md	38.0.0
2026-04-01T13:17:34.551312+00:00	Mozilla Importer	Fixing	VCID-j5wk-5thk-ckfr	https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2013/mfsa2013-51.md	38.0.0
2026-04-01T13:17:34.410247+00:00	Mozilla Importer	Fixing	VCID-tqp2-yvuv-5ygs	https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2013/mfsa2013-50.md	38.0.0
2026-04-01T13:17:33.745404+00:00	Mozilla Importer	Fixing	VCID-pden-es6n-nfey	https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2013/mfsa2013-61.md	38.0.0