Endpoint Vulnerability

XrayWrappers can be bypassed to run user defined methods in a privileged context

Description

Mozilla security researcher moz_bug_r_a4 reported that XrayWrappers can be bypassed to call content-defined toString and valueOf methods through DefaultValue. This can lead to unexpected behavior when privileged code acts on the incorrect values.

Affected Products

Thunderbird

References

CVE-2013-1697,