CVE-2025-11712

MEDIUM
2025-10-14 [email protected]
Mozilla XSS Thunderbird Redhat Suse
6.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 13, 2026 - 15:45 vuln.today

DescriptionNVD

A malicious page could have used the type attribute of an OBJECT tag to override the default browser behavior when encountering a web resource served without a content-type. This could have contributed to an XSS on a site that unsafely serves files without a content-type header. This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.

AnalysisAI

Firefox and Thunderbird allow cross-site scripting (XSS) attacks when a malicious page uses the type attribute of an OBJECT tag to override default browser behavior for resources served without a content-type header. An attacker can craft a malicious webpage that exploits this flaw to execute arbitrary JavaScript in the context of a vulnerable site that unsafely omits content-type headers, affecting Firefox versions before 144, Firefox ESR before 140.4, Thunderbird before 144, and Thunderbird ESR before 140.4. No public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

This vulnerability exploits the Improper Neutralization of Output During Web Page Generation (CWE-116) mechanism. Browsers normally determine how to handle web resources based on the Content-Type HTTP header; when this header is absent, they apply heuristics to infer the content type. The vulnerability allows an attacker to manipulate the OBJECT tag's type attribute to force the browser to interpret a resource in an unexpected way, bypassing the browser's default safety behavior for missing content-type headers. This is particularly dangerous when combined with sites that serve user-controlled or sensitive data without proper content-type headers, as the type attribute override can cause the browser to treat plain text or HTML data as executable content within the page's security context. The affected products are Mozilla Firefox (standard and ESR branches) and Thunderbird (standard and ESR branches), as identified by the CPE strings covering all versions prior to the patched releases.

RemediationAI

Vendor-released patches: Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird ESR 140.4. Users should update to these versions immediately via the respective browser's update mechanism or through their Linux distribution package manager. Additionally, website administrators should ensure all HTTP responses include appropriate Content-Type headers to prevent content-sniffing attacks. Detailed patch information and advisories are available at https://www.mozilla.org/security/advisories/mfsa2025-81/ (Firefox), https://www.mozilla.org/security/advisories/mfsa2025-83/ (Firefox ESR), https://www.mozilla.org/security/advisories/mfsa2025-84/ (Thunderbird), and https://www.mozilla.org/security/advisories/mfsa2025-85/ (Thunderbird ESR).

Vendor StatusVendor

Share

CVE-2025-11712 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy