3 matches found
SUSE CVE-2025-6430
When a file download is specified via the Content-Disposition header, that directive would be ignored if the file was included via a embed or object tag, potentially making a website vulnerable to a cross-site scripting attack. This vulnerability was fixed in Firefox 140, Firefox ESR 128.12,...
firefox: thunderbird: XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response
The Mozilla Foundation's Security Advisory: In multipart/x-mixed-replace responses, Content-Disposition: attachment in the response header is not respected and does not force a download, which could allow cross-site scripting XSS attacks...
firefox: thunderbird: XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response
The Mozilla Foundation's Security Advisory: In multipart/x-mixed-replace responses, Content-Disposition: attachment in the response header is not respected and does not force a download, which could allow cross-site scripting XSS attacks...