CVE-2024-10461

Summary

In multipart/x-mixed-replace responses, Content-Disposition: attachment in the response header was not respected and did not force a download, which could allow XSS attacks. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.

Affected Software

VendorProductVersion RangeStatus
MozillaFirefoxunspecified < 132affected
MozillaFirefox ESRunspecified < 128.4affected
MozillaThunderbirdunspecified < 128.4affected
MozillaThunderbirdunspecified < 132affected

Weaknesses

  • XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References