CVE-2024-10461Cross-site Scripting in Mozilla Firefox

CWE-79Cross-site Scripting13 documents8 sources
Severity
6.1MEDIUMNVD
OSV7.5
EPSS
0.9%
top 23.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxMozilla Firefox ESRMozilla Thunderbird
Timeline
PublishedOct 29
Latest updateFeb 2

Description

In multipart/x-mixed-replace responses, `Content-Disposition: attachment` in the response header was not respected and did not force a download, which could allow XSS attacks. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages7 packages

CVEListV5mozilla/firefoxunspecified132
NVDmozilla/firefox< 128.4.0+1
CVEListV5mozilla/firefox_esrunspecified128.4
CVEListV5mozilla/thunderbirdunspecified128.4+1
NVDmozilla/thunderbird129.0132.0+1

🔴Vulnerability Details

4
OSV
firefox vulnerabilities2024-10-31
CVEList
CVE-2024-10461: In multipart/x-mixed-replace responses, `Content-Disposition: attachment` in the response header was not respected and did not force a download, which2024-10-29
GHSA
GHSA-679j-4q32-w85w: In multipart/x-mixed-replace responses, `Content-Disposition: attachment` in the response header was not respected and did not force a download, which2024-10-29
OSV
CVE-2024-10461: In multipart/x-mixed-replace responses, `Content-Disposition: attachment` in the response header was not respected and did not force a download, which2024-10-29

📋Vendor Advisories

8
Ubuntu
Thunderbird vulnerabilities2026-02-02
Ubuntu
Firefox vulnerabilities2024-10-31
Red Hat
firefox: thunderbird: XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response2024-10-29
Debian
CVE-2024-10461: firefox - In multipart/x-mixed-replace responses, `Content-Disposition: attachment` in the...2024
Mozilla
Mozilla Foundation Security Advisory 2024-59: CVE-2024-10461
CVE-2024-10461 — Cross-site Scripting in Mozilla | cvebase