CVE-2013-6167

medium

Published 2014-02-15 · Modified 2026-04-29

CVSS v3

—

CVSS v2

6.8

VIR risk

7.8

Description

Mozilla Firefox through 27 sends HTTP Cookie headers without first validating that they have the required character-set restrictions, which allows remote attackers to conduct the equivalent of a persistent Logout CSRF attack via a crafted parameter that forces a web application to set a malformed cookie within an HTTP response.

Predictions

Exploit likelihood

55%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://bugzilla.mozilla.org/show_bug.cgi?id=858215

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2013-6167.html

Exploits

Exploit-DB

EDB-38798 · dos · multiple

OS impact

OS	Version	Status	Fixed in
sles		affected

Application impact

Vendor	Product	Versions	Fixed
mozilla	firefox	`{"endIncluding":"27.0"}`

References

CWEs

CWE-352

Verify integrity in audit chain (admin only). AS-IS.