In multipart/x-mixed-replace responses, `Content-Disposition: attachment` in the response header was not respected and did not force a download, which could allow XSS attacks. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.
References
Configurations
No configuration.
History
29 Oct 2024, 14:35
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.1 |
CWE | CWE-79 |
29 Oct 2024, 13:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-10-29 13:15
Updated : 2024-10-29 14:35
NVD link : CVE-2024-10461
Mitre link : CVE-2024-10461
CVE.ORG link : CVE-2024-10461
JSON object : View
Products Affected
No product.
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')