CVE-2024-10461 — Cross-site Scripting in Mozilla

Vendor	Product	Version range	Fixed in
debian	firefox	< firefox 132.0-1 (sid)	firefox 132.0-1 (sid)
debian	firefox-esr	< firefox 132.0-1 (sid)	firefox 132.0-1 (sid)
debian	thunderbird	< firefox 132.0-1 (sid)	firefox 132.0-1 (sid)
mozilla	firefox	< 128.4.0	128.4.0
mozilla	firefox	< 132.0	132.0
mozilla	firefox	—	—
mozilla	firefox	>= 0 < 132.0+build1-0ubuntu0.20.04.1	132.0+build1-0ubuntu0.20.04.1
mozilla	firefox	>= unspecified < 132	132
mozilla	firefox_esr	>= unspecified < 128.4	128.4
mozilla	thunderbird	< 128.4.0	128.4.0
mozilla	thunderbird	>= 0 < 1:128.4.0esr-1~deb11u1	1:128.4.0esr-1~deb11u1
mozilla	thunderbird	>= 0 < 1:128.4.0esr-1~deb12u1	1:128.4.0esr-1~deb12u1
mozilla	thunderbird	>= 0 < 1:128.4.0esr-1	1:128.4.0esr-1
mozilla	thunderbird	>= 0 < 1:128.4.0esr-1	1:128.4.0esr-1
mozilla	thunderbird	>= 129.0 < 132.0	132.0
mozilla	thunderbird	>= unspecified < 128.4	128.4
mozilla	thunderbird	>= unspecified < 132	132

Ubuntu

Thunderbird vulnerabilities

vendor_ubuntu·2026-02-02

CVE-2025-8031 Thunderbird vulnerabilities Title: Thunderbird vulnerabilities Summary: Several security issues were fixed in Thunderbird. Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code. Instructions: In general, a standard system update will make all the necessary changes.

Ubuntu

Firefox vulnerabilities

vendor_ubuntu·2024-10-31·CVSS 7.5

CVE-2024-10459 [HIGH] Firefox vulnerabilities Title: Firefox vulnerabilities Summary: Several security issues were fixed in Firefox. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2024-10458 CVE-2024-10459, CVE-2024-10460, CVE-2024-10461, CVE-2024-10462, CVE-2024-10463, CVE-2024-10464, CVE-2024-10465, CVE-2024-10466, CVE-2024-10467, CVE-2024-10468) Instructions: After a standard system update you need to restart Firefox to make all the necessary changes.

Red Hat

firefox: thunderbird: XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response

vendor_redhat·2024-10-29·CVSS 6.1

CVE-2024-10461 [MEDIUM] CWE-79 firefox: thunderbird: XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response firefox: thunderbird: XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response In multipart/x-mixed-replace responses, `Content-Disposition: attachment` in the response header was not respected and did not force a download, which could allow XSS attacks. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132. The Mozilla Foundation's Security Advisory: In multipart/x-mixed-replace responses, `Content-Disposition: attachment` in the response header is not respected and does not force a download, which could allow cross-site scripting (XSS) attacks. Statement: Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory. Package: firefox (Red Hat Enterprise L

Debian

CVE-2024-10461: firefox - In multipart/x-mixed-replace responses, `Content-Disposition: attachment` in the...

vendor_debian·2024·CVSS 6.1

CVE-2024-10461 [MEDIUM] CVE-2024-10461: firefox - In multipart/x-mixed-replace responses, `Content-Disposition: attachment` in the... In multipart/x-mixed-replace responses, `Content-Disposition: attachment` in the response header was not respected and did not force a download, which could allow XSS attacks. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132. Scope: local sid: resolved (fixed in 132.0-1)

Mozilla

Mozilla Foundation Security Advisory 2024-59: CVE-2024-10461

vendor_mozilla·CVSS 6.1

CVE-2024-10461 [MEDIUM] Mozilla Foundation Security Advisory 2024-59: CVE-2024-10461 Mozilla Foundation Security Advisory 2024-59 CVE: CVE-2024-10461 Product: Thunderbird Impact: moderate Fixed in: Thunderbird 132

Mozilla

Mozilla Foundation Security Advisory 2024-58: CVE-2024-10461

vendor_mozilla·CVSS 6.1

CVE-2024-10461 [MEDIUM] Mozilla Foundation Security Advisory 2024-58: CVE-2024-10461 Mozilla Foundation Security Advisory 2024-58 CVE: CVE-2024-10461 Product: Thunderbird Impact: moderate Fixed in: Thunderbird 128.4

Mozilla

Mozilla Foundation Security Advisory 2024-55: CVE-2024-10461

vendor_mozilla·CVSS 6.1

CVE-2024-10461 [MEDIUM] Mozilla Foundation Security Advisory 2024-55: CVE-2024-10461 Mozilla Foundation Security Advisory 2024-55 CVE: CVE-2024-10461 Product: Firefox Impact: moderate Fixed in: Firefox 132

Mozilla

Mozilla Foundation Security Advisory 2024-56: CVE-2024-10461

vendor_mozilla·CVSS 6.1

CVE-2024-10461 [MEDIUM] Mozilla Foundation Security Advisory 2024-56: CVE-2024-10461 Mozilla Foundation Security Advisory 2024-56 CVE: CVE-2024-10461 Product: Firefox ESR Impact: moderate Fixed in: Firefox ESR 128.4

OSV

firefox vulnerabilities

osv·2024-10-31·CVSS 7.5

CVE-2024-10458 [HIGH] firefox vulnerabilities firefox vulnerabilities Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2024-10458 CVE-2024-10459, CVE-2024-10460, CVE-2024-10461, CVE-2024-10462, CVE-2024-10463, CVE-2024-10464, CVE-2024-10465, CVE-2024-10466, CVE-2024-10467, CVE-2024-10468)

GHSA

GHSA-679j-4q32-w85w: In multipart/x-mixed-replace responses, `Content-Disposition: attachment` in the response header was not respected and did not force a download, which

ghsa_unreviewed·2024-10-29

CVE-2024-10461 [MEDIUM] CWE-79 GHSA-679j-4q32-w85w: In multipart/x-mixed-replace responses, `Content-Disposition: attachment` in the response header was not respected and did not force a download, which In multipart/x-mixed-replace responses, `Content-Disposition: attachment` in the response header was not respected and did not force a download, which could allow XSS attacks. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.

OSV

CVE-2024-10461: In multipart/x-mixed-replace responses, `Content-Disposition: attachment` in the response header was not respected and did not force a download, which

osv·2024-10-29·CVSS 6.1

CVE-2024-10461 [MEDIUM] CVE-2024-10461: In multipart/x-mixed-replace responses, `Content-Disposition: attachment` in the response header was not respected and did not force a download, which In multipart/x-mixed-replace responses, `Content-Disposition: attachment` in the response header was not respected and did not force a download, which could allow XSS attacks. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.

CVE-2024-10461: In multipart/x-mixed-replace responses, `Content-Disposition: attachment` in the response header was not respected and did not force a download, which could…

Affected

CVSS provenance