FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Mozilla -- XSS in sites without content-type header

Affected packages
firefox < 144.0.0,2
firefox-esr < 140.4.0
thunderbird < 144.0.0

Details

VuXML ID 4355ce42-ad06-11f0-b2aa-b42e991fc52e
Discovery 2025-10-14
Entry 2025-10-19

security@mozilla.org reports:

A malicious page could have used the type attribute of an OBJECT tag to override the default browser behavior when encountering a web resource served without a content-type. This could have contributed to an XSS on a site that unsafely serves files without a content-type header.

[source]

References

CVE Name CVE-2025-11712
URL https://nvd.nist.gov/vuln/detail/CVE-2025-11712

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.