Cyber Resilience

CVE-2013-1690

HighCISA KEVActive ExploitationEUVD Exploited

Published: 26 June 2013

Published
26 June 2013
Modified
22 April 2026
KEV Added
28 March 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.4706 97.8th percentile
Risk Priority 66 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2013-1690 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Suse Linux Enterprise Server. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

Mozilla Firefox versions before 22.0, Firefox ESR 17.x versions before 17.0.7, Thunderbird versions before 17.0.7, and Thunderbird ESR 17.x versions before 17.0.7 contain a memory safety flaw stemming from improper handling of onreadystatechange events in combination with page reloading. The issue, tracked as CWE-119, can trigger an attempt to execute data at an unmapped memory location.

Remote attackers may exploit the vulnerability by serving a crafted web page to a user who visits the site in an affected browser or mail client. Successful exploitation can result in an application crash or arbitrary code execution with the privileges of the user running the software.

OpenSUSE security advisories for this issue direct administrators to apply updated packages that correct the handling of these events in the listed Mozilla products.

EU & UK References

Vulnerability details

Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not properly handle onreadystatechange events in conjunction with page reloading, which allows remote attackers to cause a denial of service (application…

more

crash) or possibly execute arbitrary code via a crafted web site that triggers an attempt to execute data at an unmapped memory location.

CWE(s)
KEV Date Added
28 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mozilla
firefox
≤ 22.0 · 17.0 — 17.0.7
mozilla
thunderbird
≤ 17.0.7
mozilla
thunderbird esr
17.0 — 17.0.7
canonical
ubuntu linux
12.04, 12.10, 13.04
debian
debian linux
7.0
redhat
gluster storage server for on-premise
2.0
redhat
enterprise linux desktop
5.0, 6.0
redhat
enterprise linux eus
5.9, 6.4
redhat
enterprise linux server
5.0, 6.0
redhat
enterprise linux server aus
5.9, 6.4
+5 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of vendor patches that correct the onreadystatechange memory-handling flaw in Firefox/Thunderbird.

prevent

Enforces memory-protection mechanisms that block execution of data at unmapped addresses, mitigating the CWE-119 flaw before code execution succeeds.

SC-18 Mobile Code partial match
prevent

Restricts or sandboxed execution of mobile code (e.g., JavaScript) delivered by untrusted web pages, limiting the attack vector that triggers the vulnerability.

References