Cyber Resilience

CVE-2013-1675

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 16 May 2013

Published
16 May 2013
Modified
22 April 2026
KEV Added
03 March 2022
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.0795 92.2th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2013-1675 is a medium-severity Improper Initialization (CWE-665) vulnerability in Canonical Ubuntu Linux. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 7.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

Mozilla Firefox before version 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 contain an improper initialization flaw in the nsDOMSVGZoomEvent::mPreviousScale and nsDOMSVGZoomEvent::mNewScale functions. The affected code fails to properly set up internal data structures for SVG zoom events, which is tracked as CWE-665 and carries a CVSS 3.1 score of 6.5 reflecting network attack vector, low complexity, and high confidentiality impact.

Remote attackers can exploit the issue by serving a crafted web page that triggers SVG zoom event handling in a vulnerable browser or mail client. Successful exploitation allows the attacker to read uninitialized memory contents from the process address space, potentially disclosing sensitive information such as cryptographic material or other process data, provided the user interacts with the malicious content.

The referenced OpenSUSE security advisories describe the availability of updated packages that correct the initialization error in the affected Mozilla components and advise administrators to apply the patches promptly to prevent information disclosure. No further details on in-the-wild exploitation are supplied in the source material.

EU & UK References

Vulnerability details

Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 do not properly initialize data structures for the nsDOMSVGZoomEvent::mPreviousScale and nsDOMSVGZoomEvent::mNewScale functions, which allows remote attackers to obtain sensitive information from process…

more

memory via a crafted web site.

CWE(s)
KEV Date Added
03 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mozilla
firefox
≤ 21.0 · 17.0 — 17.0.6
mozilla
thunderbird
≤ 17.0.6
mozilla
thunderbird esr
17.0 — 17.0.6
canonical
ubuntu linux
12.04, 12.10, 13.04
debian
debian linux
7.0
redhat
gluster storage server for on-premise
2.1
redhat
enterprise linux desktop
5.0, 6.0
redhat
enterprise linux eus
5.9, 6.4
redhat
enterprise linux for ibm z systems
5.0_s390x, 6.0_s390x
redhat
enterprise linux for ibm z systems eus
5.9_s390x, 6.4_s390x
+8 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying vendor patches that correct the nsDOMSVGZoomEvent initialization flaw before exploitation can occur.

prevent

Implements memory-protection mechanisms that can block or sanitize reads of uninitialized process memory disclosed by the SVG zoom event handler.

prevent

Enforces process isolation boundaries that limit the scope of memory an attacker can read even when the browser's event structures remain uninitialized.

References