Sign-up

ID

VAR-201401-0279


CVE

CVE-2013-6853


TITLE

FireFox for Yahoo! Toolbar Plug-in clickstream.js Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2014-001253

DESCRIPTION

Cross-site scripting (XSS) vulnerability in clickstream.js in Y! Toolbar plugin for FireFox 3.1.0.20130813024103 for Mac, and 2.5.9.2013418100420 for Windows, allows remote attackers to inject arbitrary web script or HTML via a crafted URL that is stored by the victim. Yahoo! Toolbar for FireFox is prone to an unspecified HTML-injection vulnerability because it fails to sanitize user-supplied input. Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible. Y! Toolbar (Yahoo! Toolbar) is a web browser toolbar of Yahoo! (Yahoo!) that can be used on Microsoft IE and Mozilla Firefox. It supports custom toolbars, and can check emails and browse the weather anytime, anywhere Forecasts, news, and other information. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 CVE-2013-6853: Stored XSS via Code Injection in Y! Toolbar DOM for FireFox on MAC Version 3.1.0.20130813024103 and Windows Version 2.5.9.2013418100420. Report URL: http://xss.cx/2014/01/14/mov/cve-2013-6853-stored-xss-via-local-file-inclusion-yahoo-toolbar-version-3x-javascript-injection-poc/index.html Cheers! - -D -----BEGIN PGP SIGNATURE----- Version: 10.2.0.2526 wsBVAwUBUtZ/hHz+WcLIygj0AQiqowf8Cr/oHbnVurNR8LtsZGmt/X/FM4K/MHkL bBKBllEtWpYZZXg76DmM0qYrvbzXk3dYN8i04OA2FXPJEZguoEQVBqgwzfmfeEHP b+cOsgR/+MJ/1iQ0q6RcXrghYXmyjSmzxXcGF7wsVSOtLmnrSbAxx+/VJiknCRRC Y0H0Tbc1HB5kPjQu0Fax1+PCbMRspAFiMBpV0ZDvhnDNaMgkhUMVhI8489aLnwxt qHGCXMvw9eSJkzE4Du82LbYNQbgtrffj+mwWEwFMeuB1euBMklvo/QdLp7Bcn49g R5/Eyh+LbRzD5NB3BL2QTm1jW7SYCAKvtd7H/GJWoKgj+joNG/N9Lg== =mH1u -----END PGP SIGNATURE-----

Trust: 2.07

sources: NVD: CVE-2013-6853 // JVNDB: JVNDB-2014-001253 // BID: 64971 // VULHUB: VHN-66855 // PACKETSTORM: 124800

AFFECTED PRODUCTS

vendor:yahoomodel:toolbarscope:eqversion:3.1.0.20130813024103

Trust: 1.6

vendor:yahoomodel:toolbarscope:eqversion:2.5.9.2013418100420

Trust: 1.6

vendor:yahoomodel:yahoo! toolbarscope:eqversion:2.5.9.2013418100420 (windows)

Trust: 0.8

vendor:yahoomodel:yahoo! toolbarscope:eqversion:3.1.0.20130813024103 (mac)

Trust: 0.8

vendor:yahoomodel:yahoo! toolbarscope:eqversion:2.5.9.2013418100420

Trust: 0.3

sources: BID: 64971 // JVNDB: JVNDB-2014-001253 // CNNVD: CNNVD-201401-536 // NVD: CVE-2013-6853

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-6853
value: MEDIUM

Trust: 1.0

NVD: CVE-2013-6853
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201401-536
value: MEDIUM

Trust: 0.6

VULHUB: VHN-66855
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2013-6853
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-66855
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-66855 // JVNDB: JVNDB-2014-001253 // CNNVD: CNNVD-201401-536 // NVD: CVE-2013-6853

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-66855 // JVNDB: JVNDB-2014-001253 // NVD: CVE-2013-6853

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201401-536

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 124800 // CNNVD: CNNVD-201401-536

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-001253

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-66855

PATCH
title:Yahoo! Toolbar :: Add-ons for Firefoxurl:https://addons.mozilla.org/ja/firefox/addon/yahoo-toolbar/
Trust: 0.8
title:Yahoo!ツールバーurl:http://toolbar.yahoo.co.jp/
Trust: 0.8
title:FireFox Y! Toolbar Fixes for plugin cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=163500
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2014-001253 // 
            
            
            
            CNNVD: CNNVD-201401-536

EXTERNAL IDS
db:NVDid:CVE-2013-6853
Trust: 2.9
db:OSVDBid:102175
Trust: 2.5
db:BIDid:64971
Trust: 2.0
db:PACKETSTORMid:124800
Trust: 1.8
db:XFid:90529
Trust: 0.8
db:JVNDBid:JVNDB-2014-001253
Trust: 0.8
db:CNNVDid:CNNVD-201401-536
Trust: 0.7
db:VULHUBid:VHN-66855
Trust: 0.1
sources:
            
            
            VULHUB: VHN-66855 // 
            
            
            
            BID: 64971 // 
            
            
            
            JVNDB: JVNDB-2014-001253 // 
            
            
            
            PACKETSTORM: 124800 // 
            
            
            
            CNNVD: CNNVD-201401-536 // 
            
            
            
            NVD: CVE-2013-6853

REFERENCES
url:http://osvdb.org/102175
Trust: 2.5
url:http://www.securityfocus.com/bid/64971
Trust: 1.7
url:http://packetstormsecurity.com/files/124800/y-toolbar-cross-site-scripting.html
Trust: 1.7
url:http://www.cloudscan.me/2014/01/cve-2013-6853-stored-xss-in-y-toolbar.html
Trust: 1.7
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/90529
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-6853
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-6853
Trust: 0.8
url:http://xforce.iss.net/xforce/xfdb/90529
Trust: 0.8
url:https://addons.mozilla.org/en-us/firefox/addon/yahoo-toolbar/
Trust: 0.3
url:https://nvd.nist.gov/vuln/detail/cve-2013-6853
Trust: 0.1
url:http://xss.cx/2014/01/14/mov/cve-2013-6853-stored-xss-via-local-file-inclusion-yahoo-toolbar-version-3x-javascript-injection-poc/index.html
Trust: 0.1
sources:
            
            
            VULHUB: VHN-66855 // 
            
            
            
            BID: 64971 // 
            
            
            
            JVNDB: JVNDB-2014-001253 // 
            
            
            
            PACKETSTORM: 124800 // 
            
            
            
            CNNVD: CNNVD-201401-536 // 
            
            
            
            NVD: CVE-2013-6853

CREDITS
Hoyt LLC via XSS.Cx
Trust: 0.3
sources:
            
            
            BID: 64971

SOURCES
db:VULHUBid:VHN-66855
db:BIDid:64971
db:JVNDBid:JVNDB-2014-001253
db:PACKETSTORMid:124800
db:CNNVDid:CNNVD-201401-536
db:NVDid:CVE-2013-6853

LAST UPDATE DATE
2025-04-11T22:59:01.563000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-66855date:2017-08-29T00:00:00
db:BIDid:64971date:2014-01-14T00:00:00
db:JVNDBid:JVNDB-2014-001253date:2014-01-28T00:00:00
db:CNNVDid:CNNVD-201401-536date:2021-09-23T00:00:00
db:NVDid:CVE-2013-6853date:2025-04-11T00:51:21.963

SOURCES RELEASE DATE
db:VULHUBid:VHN-66855date:2014-01-26T00:00:00
db:BIDid:64971date:2014-01-14T00:00:00
db:JVNDBid:JVNDB-2014-001253date:2014-01-28T00:00:00
db:PACKETSTORMid:124800date:2014-01-16T03:32:35
db:CNNVDid:CNNVD-201401-536date:2014-01-28T00:00:00
db:NVDid:CVE-2013-6853date:2014-01-26T01:55:09.267