CVE-2025-11712
BaseFortify
Publication date: 2025-10-14
Last updated on: 2026-04-13
Assigner: Mozilla Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mozilla | thunderbird | to 140.0 (inc) |
| mozilla | thunderbird | to 140.0 (inc) |
| mozilla | firefox | From 60.9.0 (exc) |
| mozilla | firefox | From 60.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves a malicious web page using the type attribute of an OBJECT tag to override the browser's default behavior when it encounters a web resource served without a content-type header. This can lead to cross-site scripting (XSS) attacks on sites that serve files without specifying a content-type, affecting certain versions of Firefox and Thunderbird.
How can this vulnerability impact me? :
The vulnerability can allow attackers to execute malicious scripts in the context of a trusted website, potentially leading to unauthorized actions, data theft, or session hijacking for users of affected Firefox and Thunderbird versions.