CVE-2012-3993 [Critical] | Privilege Escalation in Firefox

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 does not properly interact with failures of InstallTrigger methods, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges via a crafted web site, related to an "XrayWrapper pollution" issue.

EDB-ID	Source	Kind	Published	Link
30474	exploit_db	edb	2013-08-06	Exploit-DB ↗

EDB-ID

Source

Kind

Published

Link

30474

exploit_db

edb

2013-08-06

Exploit-DB ↗

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	80.84%	42.61%	-38.23%
2	2025-11-15	81.83%	80.84%	-0.99%
3	2025-10-05	—	81.83%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

80.84%

42.61%

-38.23%

2025-11-15

81.83%

80.84%

-0.99%

2025-10-05

—

81.83%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
9.3	2.0	HIGH	`AV:N/AC:M/Au:N/C:C/I:C/A:C` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:M) Exploitation needs some favorable conditions, but not exceptional ones. Authentication (AU:N) No authentication is required. Confidentiality impact (C:C) Complete confidentiality impact. Integrity impact (I:C) Complete integrity impact. Availability impact (A:C) Complete availability impact.	8.6	10.0	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

9.3

2.0

HIGH

AV:N/AC:M/Au:N/C:C/I:C/A:C Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:M): Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:C): Complete confidentiality impact.
Integrity impact (I:C): Complete integrity impact.
Availability impact (A:C): Complete availability impact.

8.6

10.0

[email protected]

OS Trackers for CVE-2012-3993

vendor	priority	summary	link
`gentoo`	high	CVE-2012-3993: 1 GLSA(s) (201301-01), 14 atom(s) (dev-libs/nss, mail-client/mozilla-thunderbird, …); latest impact high.	https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2012-3993
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2012-3993
`suse`	medium	CVE-2012-3993 severity moderate: SUSE including 71 source package names (MozillaFirefox, MozillaFirefox-10.0.9-0.3.1, …), 122 product×package rows across 43 product lines (SUSE CaaS Platform 4.0, SUSE Enterprise Storage 6, … (43 product lines)): Fixed 91, Known Not Affected 31.	https://www.suse.com/security/cve/CVE-2012-3993/
`ubuntu`	medium	CVE-2012-3993 medium priority: Ubuntu including 4 source packages (firefox, seamonkey, thunderbird, xulrunner-1.9.2), 36 status rows across 9 suites (hardy, lucid, natty, oneiric, precise, quantal, raring, saucy, upstream): released 17, DNE 9, ignored 9, needs-triage 1.	https://ubuntu.com/security/CVE-2012-3993

Affected software / configurations for CVE-2012-3993

Vendor	Product	Version	Raw CPE
mozilla	firefox	10.0	cpe:2.3:a:mozilla:firefox:10.0:::::::*
mozilla	firefox	10.0.1	cpe:2.3:a:mozilla:firefox:10.0.1:::::::*
mozilla	firefox	10.0.2	cpe:2.3:a:mozilla:firefox:10.0.2:::::::*
mozilla	firefox	10.0.3	cpe:2.3:a:mozilla:firefox:10.0.3:::::::*
mozilla	firefox	10.0.4	cpe:2.3:a:mozilla:firefox:10.0.4:::::::*
mozilla	firefox	10.0.5	cpe:2.3:a:mozilla:firefox:10.0.5:::::::*
mozilla	firefox	10.0.6	cpe:2.3:a:mozilla:firefox:10.0.6:::::::*
mozilla	firefox	10.0.7	cpe:2.3:a:mozilla:firefox:10.0.7:::::::*
mozilla	thunderbird_esr	10.0	cpe:2.3:a:mozilla:thunderbird_esr:10.0:::::::*
mozilla	thunderbird_esr	10.0.1	cpe:2.3:a:mozilla:thunderbird_esr:10.0.1:::::::*
mozilla	thunderbird_esr	10.0.2	cpe:2.3:a:mozilla:thunderbird_esr:10.0.2:::::::*
mozilla	thunderbird_esr	10.0.3	cpe:2.3:a:mozilla:thunderbird_esr:10.0.3:::::::*
mozilla	thunderbird_esr	10.0.4	cpe:2.3:a:mozilla:thunderbird_esr:10.0.4:::::::*
mozilla	thunderbird_esr	10.0.5	cpe:2.3:a:mozilla:thunderbird_esr:10.0.5:::::::*
mozilla	thunderbird_esr	10.0.6	cpe:2.3:a:mozilla:thunderbird_esr:10.0.6:::::::*
mozilla	thunderbird_esr	10.0.7	cpe:2.3:a:mozilla:thunderbird_esr:10.0.7:::::::*
mozilla	firefox	<= 15.0.1	cpe:2.3:a:mozilla:firefox::::::::
mozilla	firefox	1.0	cpe:2.3:a:mozilla:firefox:1.0:::::::*
mozilla	firefox	1.0	cpe:2.3:a:mozilla:firefox:1.0:preview_release::::::
mozilla	firefox	1.0.1	cpe:2.3:a:mozilla:firefox:1.0.1:::::::*
mozilla	firefox	1.0.2	cpe:2.3:a:mozilla:firefox:1.0.2:::::::*
mozilla	firefox	1.0.3	cpe:2.3:a:mozilla:firefox:1.0.3:::::::*
mozilla	firefox	1.0.4	cpe:2.3:a:mozilla:firefox:1.0.4:::::::*
mozilla	firefox	1.0.5	cpe:2.3:a:mozilla:firefox:1.0.5:::::::*
mozilla	firefox	1.0.6	cpe:2.3:a:mozilla:firefox:1.0.6:::::::*
mozilla	firefox	1.0.7	cpe:2.3:a:mozilla:firefox:1.0.7:::::::*
mozilla	firefox	1.0.8	cpe:2.3:a:mozilla:firefox:1.0.8:::::::*
mozilla	firefox	1.4.1	cpe:2.3:a:mozilla:firefox:1.4.1:::::::*
mozilla	firefox	1.5	cpe:2.3:a:mozilla:firefox:1.5:::::::*
mozilla	firefox	1.5	cpe:2.3:a:mozilla:firefox:1.5:beta1::::::
mozilla	firefox	1.5	cpe:2.3:a:mozilla:firefox:1.5:beta2::::::
mozilla	firefox	1.5.0.1	cpe:2.3:a:mozilla:firefox:1.5.0.1:::::::*
mozilla	firefox	1.5.0.2	cpe:2.3:a:mozilla:firefox:1.5.0.2:::::::*
mozilla	firefox	1.5.0.3	cpe:2.3:a:mozilla:firefox:1.5.0.3:::::::*
mozilla	firefox	1.5.0.4	cpe:2.3:a:mozilla:firefox:1.5.0.4:::::::*
mozilla	firefox	1.5.0.5	cpe:2.3:a:mozilla:firefox:1.5.0.5:::::::*
mozilla	firefox	1.5.0.6	cpe:2.3:a:mozilla:firefox:1.5.0.6:::::::*
mozilla	firefox	1.5.0.7	cpe:2.3:a:mozilla:firefox:1.5.0.7:::::::*
mozilla	firefox	1.5.0.8	cpe:2.3:a:mozilla:firefox:1.5.0.8:::::::*
mozilla	firefox	1.5.0.9	cpe:2.3:a:mozilla:firefox:1.5.0.9:::::::*
mozilla	firefox	1.5.0.10	cpe:2.3:a:mozilla:firefox:1.5.0.10:::::::*
mozilla	firefox	1.5.0.11	cpe:2.3:a:mozilla:firefox:1.5.0.11:::::::*
mozilla	firefox	1.5.0.12	cpe:2.3:a:mozilla:firefox:1.5.0.12:::::::*
mozilla	firefox	1.5.1	cpe:2.3:a:mozilla:firefox:1.5.1:::::::*
mozilla	firefox	1.5.2	cpe:2.3:a:mozilla:firefox:1.5.2:::::::*
mozilla	firefox	1.5.3	cpe:2.3:a:mozilla:firefox:1.5.3:::::::*
mozilla	firefox	1.5.4	cpe:2.3:a:mozilla:firefox:1.5.4:::::::*
mozilla	firefox	1.5.5	cpe:2.3:a:mozilla:firefox:1.5.5:::::::*
mozilla	firefox	1.5.6	cpe:2.3:a:mozilla:firefox:1.5.6:::::::*
mozilla	firefox	1.5.7	cpe:2.3:a:mozilla:firefox:1.5.7:::::::*
mozilla	firefox	1.5.8	cpe:2.3:a:mozilla:firefox:1.5.8:::::::*
mozilla	firefox	1.8	cpe:2.3:a:mozilla:firefox:1.8:::::::*
mozilla	firefox	2.0	cpe:2.3:a:mozilla:firefox:2.0:::::::*
mozilla	firefox	2.0.0.1	cpe:2.3:a:mozilla:firefox:2.0.0.1:::::::*
mozilla	firefox	2.0.0.2	cpe:2.3:a:mozilla:firefox:2.0.0.2:::::::*
mozilla	firefox	2.0.0.3	cpe:2.3:a:mozilla:firefox:2.0.0.3:::::::*
mozilla	firefox	2.0.0.4	cpe:2.3:a:mozilla:firefox:2.0.0.4:::::::*
mozilla	firefox	2.0.0.5	cpe:2.3:a:mozilla:firefox:2.0.0.5:::::::*
mozilla	firefox	2.0.0.6	cpe:2.3:a:mozilla:firefox:2.0.0.6:::::::*
mozilla	firefox	2.0.0.7	cpe:2.3:a:mozilla:firefox:2.0.0.7:::::::*
mozilla	firefox	2.0.0.8	cpe:2.3:a:mozilla:firefox:2.0.0.8:::::::*
mozilla	firefox	2.0.0.9	cpe:2.3:a:mozilla:firefox:2.0.0.9:::::::*
mozilla	firefox	2.0.0.10	cpe:2.3:a:mozilla:firefox:2.0.0.10:::::::*
mozilla	firefox	2.0.0.11	cpe:2.3:a:mozilla:firefox:2.0.0.11:::::::*
mozilla	firefox	2.0.0.12	cpe:2.3:a:mozilla:firefox:2.0.0.12:::::::*
mozilla	firefox	2.0.0.13	cpe:2.3:a:mozilla:firefox:2.0.0.13:::::::*
mozilla	firefox	2.0.0.14	cpe:2.3:a:mozilla:firefox:2.0.0.14:::::::*
mozilla	firefox	2.0.0.15	cpe:2.3:a:mozilla:firefox:2.0.0.15:::::::*
mozilla	firefox	2.0.0.16	cpe:2.3:a:mozilla:firefox:2.0.0.16:::::::*
mozilla	firefox	2.0.0.17	cpe:2.3:a:mozilla:firefox:2.0.0.17:::::::*
mozilla	firefox	2.0.0.18	cpe:2.3:a:mozilla:firefox:2.0.0.18:::::::*
mozilla	firefox	2.0.0.19	cpe:2.3:a:mozilla:firefox:2.0.0.19:::::::*
mozilla	firefox	2.0.0.20	cpe:2.3:a:mozilla:firefox:2.0.0.20:::::::*
mozilla	firefox	3.0	cpe:2.3:a:mozilla:firefox:3.0:::::::*
mozilla	firefox	3.0.1	cpe:2.3:a:mozilla:firefox:3.0.1:::::::*
mozilla	firefox	3.0.2	cpe:2.3:a:mozilla:firefox:3.0.2:::::::*
mozilla	firefox	3.0.3	cpe:2.3:a:mozilla:firefox:3.0.3:::::::*
mozilla	firefox	3.0.4	cpe:2.3:a:mozilla:firefox:3.0.4:::::::*
mozilla	firefox	3.0.5	cpe:2.3:a:mozilla:firefox:3.0.5:::::::*
mozilla	firefox	3.0.6	cpe:2.3:a:mozilla:firefox:3.0.6:::::::*

References for CVE-2012-3993

URL	Tags
http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00010.html	Mailing List Third Party Advisory
http://osvdb.org/86111	Broken Link
http://rhn.redhat.com/errata/RHSA-2012-1351.html	Third Party Advisory
http://secunia.com/advisories/50856	Third Party Advisory
http://secunia.com/advisories/50892	Third Party Advisory
http://secunia.com/advisories/50904	Third Party Advisory
http://secunia.com/advisories/50935	Third Party Advisory
http://secunia.com/advisories/50936	Third Party Advisory
http://secunia.com/advisories/50984	Third Party Advisory
http://secunia.com/advisories/55318	Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2012:163	Third Party Advisory
http://www.mozilla.org/security/announce/2012/mfsa2012-83.html	Vendor Advisory
http://www.securityfocus.com/bid/56119	Third Party Advisory VDB Entry
http://www.ubuntu.com/usn/USN-1611-1	Third Party Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=768101	Issue Tracking Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/79153	Third Party Advisory VDB Entry
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16718	Third Party Advisory

URL

CVE-2012-3993

Public exploit references (Exploit-DB) for CVE-2012-3993

Exploit prediction scoring system (EPSS) score for CVE-2012-3993

Common vulnerability scoring system (CVSS) metrics for CVE-2012-3993

Weakness enumeration for CVE-2012-3993

OS Trackers for CVE-2012-3993

Affected software / configurations for CVE-2012-3993

References for CVE-2012-3993