CVE-2024-10461

Published: Oct 29, 2024Modified: Nov 3, 2025

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

In multipart/x-mixed-replace responses, `Content-Disposition: attachment` in the response header was not respected and did not force a download, which could allow XSS attacks. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.

Affected (4)

Products: Mozilla: Firefox, Thunderbird

2 products

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Before 132.0
Mozilla Firefox	Before 128.4.0
Mozilla Thunderbird	Before 128.4.0
Mozilla Thunderbird	From 129.0 to 132.0

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (7)

https://bugzilla.mozilla.org/show_bug.cgi?id=1914521

Source: security@mozilla.org

Issue TrackingPermissions Required

https://www.mozilla.org/security/advisories/mfsa2024-55/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2024-56/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2024-58/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2024-59/

Source: security@mozilla.org

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2024/10/msg00034.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.debian.org/debian-lts-announce/2024/11/msg00001.html

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.