FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

firefox -- multiple vulnerabilities

Affected packages
firefox < 128.12.0,2
firefox < 140.0,2

Details

VuXML ID 9bad6f79-58cf-11f0-b4ad-b42e991fc52e
Discovery 2025-06-24
Entry 2025-07-04

security@mozilla.org reports:

Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed.

When a file download is specified via the `Content-Disposition` header, that directive would be ignored if the file was included via a `&lt;embed&gt;` or `&lt;object&gt;` tag, potentially making a website vulnerable to a cross-site scripting attack.

[source]

References

CVE Name CVE-2025-6429
CVE Name CVE-2025-6430
URL https://nvd.nist.gov/vuln/detail/CVE-2025-6429
URL https://nvd.nist.gov/vuln/detail/CVE-2025-6430

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.