Vulnerability-Lookup

OPENSUSE-SU-2025:15216-1

Vulnerability from csaf_opensuse - Published: 2025-07-03 00:00 - Updated: 2025-07-03 00:00

Summary

firefox-esr-128.12.0-1.1 on GA media

Notes

Title of the patch

firefox-esr-128.12.0-1.1 on GA media

Description of the patch

These are all security issues fixed in the firefox-esr-128.12.0-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2025-15216

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "firefox-esr-128.12.0-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the firefox-esr-128.12.0-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-15216",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15216-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-6424 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-6424/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-6425 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-6425/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-6426 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-6426/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-6429 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-6429/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-6430 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-6430/"
      }
    ],
    "title": "firefox-esr-128.12.0-1.1 on GA media",
    "tracking": {
      "current_release_date": "2025-07-03T00:00:00Z",
      "generator": {
        "date": "2025-07-03T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:15216-1",
      "initial_release_date": "2025-07-03T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-07-03T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "firefox-esr-128.12.0-1.1.aarch64",
                "product": {
                  "name": "firefox-esr-128.12.0-1.1.aarch64",
                  "product_id": "firefox-esr-128.12.0-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "firefox-esr-branding-upstream-128.12.0-1.1.aarch64",
                "product": {
                  "name": "firefox-esr-branding-upstream-128.12.0-1.1.aarch64",
                  "product_id": "firefox-esr-branding-upstream-128.12.0-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "firefox-esr-translations-common-128.12.0-1.1.aarch64",
                "product": {
                  "name": "firefox-esr-translations-common-128.12.0-1.1.aarch64",
                  "product_id": "firefox-esr-translations-common-128.12.0-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "firefox-esr-translations-other-128.12.0-1.1.aarch64",
                "product": {
                  "name": "firefox-esr-translations-other-128.12.0-1.1.aarch64",
                  "product_id": "firefox-esr-translations-other-128.12.0-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "firefox-esr-128.12.0-1.1.ppc64le",
                "product": {
                  "name": "firefox-esr-128.12.0-1.1.ppc64le",
                  "product_id": "firefox-esr-128.12.0-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "firefox-esr-branding-upstream-128.12.0-1.1.ppc64le",
                "product": {
                  "name": "firefox-esr-branding-upstream-128.12.0-1.1.ppc64le",
                  "product_id": "firefox-esr-branding-upstream-128.12.0-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "firefox-esr-translations-common-128.12.0-1.1.ppc64le",
                "product": {
                  "name": "firefox-esr-translations-common-128.12.0-1.1.ppc64le",
                  "product_id": "firefox-esr-translations-common-128.12.0-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "firefox-esr-translations-other-128.12.0-1.1.ppc64le",
                "product": {
                  "name": "firefox-esr-translations-other-128.12.0-1.1.ppc64le",
                  "product_id": "firefox-esr-translations-other-128.12.0-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "firefox-esr-128.12.0-1.1.s390x",
                "product": {
                  "name": "firefox-esr-128.12.0-1.1.s390x",
                  "product_id": "firefox-esr-128.12.0-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "firefox-esr-branding-upstream-128.12.0-1.1.s390x",
                "product": {
                  "name": "firefox-esr-branding-upstream-128.12.0-1.1.s390x",
                  "product_id": "firefox-esr-branding-upstream-128.12.0-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "firefox-esr-translations-common-128.12.0-1.1.s390x",
                "product": {
                  "name": "firefox-esr-translations-common-128.12.0-1.1.s390x",
                  "product_id": "firefox-esr-translations-common-128.12.0-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "firefox-esr-translations-other-128.12.0-1.1.s390x",
                "product": {
                  "name": "firefox-esr-translations-other-128.12.0-1.1.s390x",
                  "product_id": "firefox-esr-translations-other-128.12.0-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "firefox-esr-128.12.0-1.1.x86_64",
                "product": {
                  "name": "firefox-esr-128.12.0-1.1.x86_64",
                  "product_id": "firefox-esr-128.12.0-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "firefox-esr-branding-upstream-128.12.0-1.1.x86_64",
                "product": {
                  "name": "firefox-esr-branding-upstream-128.12.0-1.1.x86_64",
                  "product_id": "firefox-esr-branding-upstream-128.12.0-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "firefox-esr-translations-common-128.12.0-1.1.x86_64",
                "product": {
                  "name": "firefox-esr-translations-common-128.12.0-1.1.x86_64",
                  "product_id": "firefox-esr-translations-common-128.12.0-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "firefox-esr-translations-other-128.12.0-1.1.x86_64",
                "product": {
                  "name": "firefox-esr-translations-other-128.12.0-1.1.x86_64",
                  "product_id": "firefox-esr-translations-other-128.12.0-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "firefox-esr-128.12.0-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.aarch64"
        },
        "product_reference": "firefox-esr-128.12.0-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "firefox-esr-128.12.0-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.ppc64le"
        },
        "product_reference": "firefox-esr-128.12.0-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "firefox-esr-128.12.0-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.s390x"
        },
        "product_reference": "firefox-esr-128.12.0-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "firefox-esr-128.12.0-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.x86_64"
        },
        "product_reference": "firefox-esr-128.12.0-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "firefox-esr-branding-upstream-128.12.0-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.aarch64"
        },
        "product_reference": "firefox-esr-branding-upstream-128.12.0-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "firefox-esr-branding-upstream-128.12.0-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.ppc64le"
        },
        "product_reference": "firefox-esr-branding-upstream-128.12.0-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "firefox-esr-branding-upstream-128.12.0-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.s390x"
        },
        "product_reference": "firefox-esr-branding-upstream-128.12.0-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "firefox-esr-branding-upstream-128.12.0-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.x86_64"
        },
        "product_reference": "firefox-esr-branding-upstream-128.12.0-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "firefox-esr-translations-common-128.12.0-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.aarch64"
        },
        "product_reference": "firefox-esr-translations-common-128.12.0-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "firefox-esr-translations-common-128.12.0-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.ppc64le"
        },
        "product_reference": "firefox-esr-translations-common-128.12.0-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "firefox-esr-translations-common-128.12.0-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.s390x"
        },
        "product_reference": "firefox-esr-translations-common-128.12.0-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "firefox-esr-translations-common-128.12.0-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.x86_64"
        },
        "product_reference": "firefox-esr-translations-common-128.12.0-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "firefox-esr-translations-other-128.12.0-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.aarch64"
        },
        "product_reference": "firefox-esr-translations-other-128.12.0-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "firefox-esr-translations-other-128.12.0-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.ppc64le"
        },
        "product_reference": "firefox-esr-translations-other-128.12.0-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "firefox-esr-translations-other-128.12.0-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.s390x"
        },
        "product_reference": "firefox-esr-translations-other-128.12.0-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "firefox-esr-translations-other-128.12.0-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.x86_64"
        },
        "product_reference": "firefox-esr-translations-other-128.12.0-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-6424",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-6424"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability affects Firefox \u003c 140, Firefox ESR \u003c 115.25, Firefox ESR \u003c 128.12, Thunderbird \u003c 140, and Thunderbird \u003c 128.12.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.aarch64",
          "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.ppc64le",
          "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.s390x",
          "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.x86_64",
          "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.aarch64",
          "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.ppc64le",
          "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.s390x",
          "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.x86_64",
          "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.aarch64",
          "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.ppc64le",
          "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.s390x",
          "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.x86_64",
          "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.aarch64",
          "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.ppc64le",
          "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.s390x",
          "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-6424",
          "url": "https://www.suse.com/security/cve/CVE-2025-6424"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1244670 for CVE-2025-6424",
          "url": "https://bugzilla.suse.com/1244670"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.x86_64",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.x86_64",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.x86_64",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.x86_64",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.x86_64",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.x86_64",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-03T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-6424"
    },
    {
      "cve": "CVE-2025-6425",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-6425"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability affects Firefox \u003c 140, Firefox ESR \u003c 115.25, Firefox ESR \u003c 128.12, Thunderbird \u003c 140, and Thunderbird \u003c 128.12.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.aarch64",
          "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.ppc64le",
          "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.s390x",
          "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.x86_64",
          "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.aarch64",
          "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.ppc64le",
          "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.s390x",
          "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.x86_64",
          "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.aarch64",
          "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.ppc64le",
          "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.s390x",
          "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.x86_64",
          "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.aarch64",
          "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.ppc64le",
          "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.s390x",
          "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-6425",
          "url": "https://www.suse.com/security/cve/CVE-2025-6425"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1244670 for CVE-2025-6425",
          "url": "https://bugzilla.suse.com/1244670"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.x86_64",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.x86_64",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.x86_64",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.x86_64",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.x86_64",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.x86_64",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-03T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-6425"
    },
    {
      "cve": "CVE-2025-6426",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-6426"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The executable file warning did not warn users before opening files with the `terminal` extension. \n*This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.* This vulnerability affects Firefox \u003c 140, Firefox ESR \u003c 128.12, Thunderbird \u003c 140, and Thunderbird \u003c 128.12.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.aarch64",
          "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.ppc64le",
          "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.s390x",
          "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.x86_64",
          "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.aarch64",
          "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.ppc64le",
          "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.s390x",
          "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.x86_64",
          "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.aarch64",
          "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.ppc64le",
          "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.s390x",
          "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.x86_64",
          "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.aarch64",
          "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.ppc64le",
          "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.s390x",
          "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-6426",
          "url": "https://www.suse.com/security/cve/CVE-2025-6426"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1244670 for CVE-2025-6426",
          "url": "https://bugzilla.suse.com/1244670"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.x86_64",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.x86_64",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.x86_64",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.x86_64",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.x86_64",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.x86_64",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-03T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-6426"
    },
    {
      "cve": "CVE-2025-6429",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-6429"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag.  This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability affects Firefox \u003c 140, Firefox ESR \u003c 128.12, Thunderbird \u003c 140, and Thunderbird \u003c 128.12.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.aarch64",
          "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.ppc64le",
          "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.s390x",
          "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.x86_64",
          "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.aarch64",
          "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.ppc64le",
          "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.s390x",
          "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.x86_64",
          "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.aarch64",
          "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.ppc64le",
          "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.s390x",
          "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.x86_64",
          "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.aarch64",
          "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.ppc64le",
          "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.s390x",
          "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-6429",
          "url": "https://www.suse.com/security/cve/CVE-2025-6429"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1244670 for CVE-2025-6429",
          "url": "https://bugzilla.suse.com/1244670"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.x86_64",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.x86_64",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.x86_64",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.x86_64",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.x86_64",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.x86_64",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-03T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-6429"
    },
    {
      "cve": "CVE-2025-6430",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-6430"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "When a file download is specified via the `Content-Disposition` header, that directive would be ignored if the file was included via a `\u0026lt;embed\u0026gt;` or `\u0026lt;object\u0026gt;` tag, potentially making a website vulnerable to a cross-site scripting attack. This vulnerability affects Firefox \u003c 140, Firefox ESR \u003c 128.12, Thunderbird \u003c 140, and Thunderbird \u003c 128.12.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.aarch64",
          "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.ppc64le",
          "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.s390x",
          "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.x86_64",
          "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.aarch64",
          "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.ppc64le",
          "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.s390x",
          "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.x86_64",
          "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.aarch64",
          "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.ppc64le",
          "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.s390x",
          "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.x86_64",
          "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.aarch64",
          "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.ppc64le",
          "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.s390x",
          "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-6430",
          "url": "https://www.suse.com/security/cve/CVE-2025-6430"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1244670 for CVE-2025-6430",
          "url": "https://bugzilla.suse.com/1244670"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.x86_64",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.x86_64",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.x86_64",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-128.12.0-1.1.x86_64",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-branding-upstream-128.12.0-1.1.x86_64",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-translations-common-128.12.0-1.1.x86_64",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.aarch64",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.ppc64le",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.s390x",
            "openSUSE Tumbleweed:firefox-esr-translations-other-128.12.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-03T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-6430"
    }
  ]
}

CVE-2025-6424 (GCVE-0-2025-6424)

Vulnerability from cvelistv5 – Published: 2025-06-24 12:27 – Updated: 2025-11-03 20:06

Title

Use-after-free in FontFaceSet

Summary

A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

mozilla

References

URL

Tags

	https://bugzilla.mozilla.org/show_bug.cgi?id=1966423
	https://www.mozilla.org/security/advisories/mfsa2…
	https://www.mozilla.org/security/advisories/mfsa2…
	https://www.mozilla.org/security/advisories/mfsa2…
	https://www.mozilla.org/security/advisories/mfsa2…
	https://www.mozilla.org/security/advisories/mfsa2…

Impacted products

Vendor

Product

Version

Mozilla

Firefox

Affected: unspecified , < 140 (custom)

Mozilla	Firefox ESR	Affected: unspecified , < 115.25 (custom)
Mozilla	Firefox ESR	Affected: unspecified , < 128.12 (custom)
Mozilla	Thunderbird	Affected: unspecified , < 140 (custom)
Mozilla	Thunderbird	Affected: unspecified , < 128.12 (custom)

Credits

LJP and HexRabbit (DEVCORE Research Team)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-6424",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-25T12:36:06.501007Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-25T12:42:03.245Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:06:57.283Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00002.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00029.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "140",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "115.25",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "128.12",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "140",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "128.12",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "LJP and HexRabbit (DEVCORE Research Team)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability affects Firefox \u003c 140, Firefox ESR \u003c 115.25, Firefox ESR \u003c 128.12, Thunderbird \u003c 140, and Thunderbird \u003c 128.12."
            }
          ],
          "value": "A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability affects Firefox \u003c 140, Firefox ESR \u003c 115.25, Firefox ESR \u003c 128.12, Thunderbird \u003c 140, and Thunderbird \u003c 128.12."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-30T15:58:30.406Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1966423"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-51/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-52/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-53/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-54/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-55/"
        }
      ],
      "title": "Use-after-free in FontFaceSet"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2025-6424",
    "datePublished": "2025-06-24T12:27:59.669Z",
    "dateReserved": "2025-06-20T14:51:26.620Z",
    "dateUpdated": "2025-11-03T20:06:57.283Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-6425 (GCVE-0-2025-6425)

Vulnerability from cvelistv5 – Published: 2025-06-24 12:27 – Updated: 2025-11-03 20:07

Title

The WebCompat WebExtension shipped with Firefox exposed a persistent UUID

Summary

An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.

Severity ?

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

mozilla

References

URL

Tags

	https://bugzilla.mozilla.org/show_bug.cgi?id=1717672
	https://www.mozilla.org/security/advisories/mfsa2…
	https://www.mozilla.org/security/advisories/mfsa2…
	https://www.mozilla.org/security/advisories/mfsa2…
	https://www.mozilla.org/security/advisories/mfsa2…
	https://www.mozilla.org/security/advisories/mfsa2…

Impacted products

Vendor

Product

Version

Mozilla

Firefox

Affected: unspecified , < 140 (custom)

Mozilla	Firefox ESR	Affected: unspecified , < 115.25 (custom)
Mozilla	Firefox ESR	Affected: unspecified , < 128.12 (custom)
Mozilla	Thunderbird	Affected: unspecified , < 140 (custom)
Mozilla	Thunderbird	Affected: unspecified , < 128.12 (custom)

Credits

Rob Wu

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 4.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-6425",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-25T14:21:41.910497Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-200",
                "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-25T14:30:48.734Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:07:00.354Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00002.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00029.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "140",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "115.25",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "128.12",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "140",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "128.12",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Rob Wu"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability affects Firefox \u003c 140, Firefox ESR \u003c 115.25, Firefox ESR \u003c 128.12, Thunderbird \u003c 140, and Thunderbird \u003c 128.12."
            }
          ],
          "value": "An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability affects Firefox \u003c 140, Firefox ESR \u003c 115.25, Firefox ESR \u003c 128.12, Thunderbird \u003c 140, and Thunderbird \u003c 128.12."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-30T15:59:25.655Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1717672"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-51/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-52/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-53/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-54/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-55/"
        }
      ],
      "title": "The WebCompat WebExtension shipped with Firefox exposed a persistent UUID"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2025-6425",
    "datePublished": "2025-06-24T12:27:59.987Z",
    "dateReserved": "2025-06-20T14:51:28.050Z",
    "dateUpdated": "2025-11-03T20:07:00.354Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-6426 (GCVE-0-2025-6426)

Vulnerability from cvelistv5 – Published: 2025-06-24 12:28 – Updated: 2025-10-30 16:12

Title

No warning when opening executable terminal files on macOS

Summary

The executable file warning did not warn users before opening files with the `terminal` extension. *This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-345 - Insufficient Verification of Data Authenticity

Assigner

mozilla

References

URL

Tags

	https://bugzilla.mozilla.org/show_bug.cgi?id=1964385
	https://www.mozilla.org/security/advisories/mfsa2…
	https://www.mozilla.org/security/advisories/mfsa2…
	https://www.mozilla.org/security/advisories/mfsa2…
	https://www.mozilla.org/security/advisories/mfsa2…

Impacted products

Vendor

Product

Version

Mozilla

Firefox

Affected: unspecified , < 140 (custom)

Mozilla	Firefox ESR	Affected: unspecified , < 128.12 (custom)
Mozilla	Thunderbird	Affected: unspecified , < 140 (custom)
Mozilla	Thunderbird	Affected: unspecified , < 128.12 (custom)

Credits

pwn2car

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-6426",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-25T14:21:30.828136Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-345",
                "description": "CWE-345 Insufficient Verification of Data Authenticity",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-25T14:30:17.128Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "140",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "128.12",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "140",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "128.12",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "pwn2car"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The executable file warning did not warn users before opening files with the \u003ccode\u003eterminal\u003c/code\u003e extension. \u003cbr\u003e*This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.* This vulnerability affects Firefox \u003c 140, Firefox ESR \u003c 128.12, Thunderbird \u003c 140, and Thunderbird \u003c 128.12."
            }
          ],
          "value": "The executable file warning did not warn users before opening files with the `terminal` extension. \n*This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.* This vulnerability affects Firefox \u003c 140, Firefox ESR \u003c 128.12, Thunderbird \u003c 140, and Thunderbird \u003c 128.12."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-30T16:12:52.732Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1964385"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-51/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-53/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-54/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-55/"
        }
      ],
      "title": "No warning when opening executable terminal files on macOS"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2025-6426",
    "datePublished": "2025-06-24T12:28:00.614Z",
    "dateReserved": "2025-06-20T14:51:29.856Z",
    "dateUpdated": "2025-10-30T16:12:52.732Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-6429 (GCVE-0-2025-6429)

Vulnerability from cvelistv5 – Published: 2025-06-24 12:28 – Updated: 2025-11-03 20:07

Title

Incorrect parsing of URLs could have allowed embedding of youtube.com

Summary

Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CWE

CWE-116 - Improper Encoding or Escaping of Output

Assigner

mozilla

References

URL

Tags

	https://bugzilla.mozilla.org/show_bug.cgi?id=1970658
	https://www.mozilla.org/security/advisories/mfsa2…
	https://www.mozilla.org/security/advisories/mfsa2…
	https://www.mozilla.org/security/advisories/mfsa2…
	https://www.mozilla.org/security/advisories/mfsa2…

Impacted products

Vendor

Product

Version

Mozilla

Firefox

Affected: unspecified , < 140 (custom)

Mozilla	Firefox ESR	Affected: unspecified , < 128.12 (custom)
Mozilla	Thunderbird	Affected: unspecified , < 140 (custom)
Mozilla	Thunderbird	Affected: unspecified , < 128.12 (custom)

Credits

Masato Kinugawa

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-6429",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-25T14:21:21.354270Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-116",
                "description": "CWE-116 Improper Encoding or Escaping of Output",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-25T14:28:51.535Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:07:03.248Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00002.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00029.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "140",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "128.12",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "140",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "128.12",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Masato Kinugawa"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an \u003ccode\u003eembed\u003c/code\u003e tag.  This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability affects Firefox \u003c 140, Firefox ESR \u003c 128.12, Thunderbird \u003c 140, and Thunderbird \u003c 128.12."
            }
          ],
          "value": "Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag.  This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability affects Firefox \u003c 140, Firefox ESR \u003c 128.12, Thunderbird \u003c 140, and Thunderbird \u003c 128.12."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-30T16:13:00.645Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1970658"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-51/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-53/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-54/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-55/"
        }
      ],
      "title": "Incorrect parsing of URLs could have allowed embedding of youtube.com"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2025-6429",
    "datePublished": "2025-06-24T12:28:00.819Z",
    "dateReserved": "2025-06-20T14:51:34.184Z",
    "dateUpdated": "2025-11-03T20:07:03.248Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-6430 (GCVE-0-2025-6430)

Vulnerability from cvelistv5 – Published: 2025-06-24 12:28 – Updated: 2025-11-03 20:07

Title

Content-Disposition header ignored when a file is included in an embed or object tag

Summary

When a file download is specified via the `Content-Disposition` header, that directive would be ignored if the file was included via a `<embed>` or `<object>` tag, potentially making a website vulnerable to a cross-site scripting attack. This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

mozilla

References

URL

Tags

	https://bugzilla.mozilla.org/show_bug.cgi?id=1971140
	https://www.mozilla.org/security/advisories/mfsa2…
	https://www.mozilla.org/security/advisories/mfsa2…
	https://www.mozilla.org/security/advisories/mfsa2…
	https://www.mozilla.org/security/advisories/mfsa2…

Impacted products

Vendor

Product

Version

Mozilla

Firefox

Affected: unspecified , < 140 (custom)

Mozilla	Firefox ESR	Affected: unspecified , < 128.12 (custom)
Mozilla	Thunderbird	Affected: unspecified , < 140 (custom)
Mozilla	Thunderbird	Affected: unspecified , < 128.12 (custom)

Credits

Daniil Satyaev (Positive Technologies)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-6430",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-25T14:21:08.967871Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-25T14:28:07.992Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:07:05.987Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00002.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00029.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "140",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "128.12",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "140",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "128.12",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Daniil Satyaev (Positive Technologies)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "When a file download is specified via the \u003ccode\u003eContent-Disposition\u003c/code\u003e header, that directive would be ignored if the file was included via a \u003ccode\u003e\u0026lt;embed\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;object\u0026gt;\u003c/code\u003e tag, potentially making a website vulnerable to a cross-site scripting attack. This vulnerability affects Firefox \u003c 140, Firefox ESR \u003c 128.12, Thunderbird \u003c 140, and Thunderbird \u003c 128.12."
            }
          ],
          "value": "When a file download is specified via the `Content-Disposition` header, that directive would be ignored if the file was included via a `\u0026lt;embed\u0026gt;` or `\u0026lt;object\u0026gt;` tag, potentially making a website vulnerable to a cross-site scripting attack. This vulnerability affects Firefox \u003c 140, Firefox ESR \u003c 128.12, Thunderbird \u003c 140, and Thunderbird \u003c 128.12."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-30T16:13:04.217Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1971140"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-51/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-53/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-54/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-55/"
        }
      ],
      "title": "Content-Disposition header ignored when a file is included in an embed or object tag"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2025-6430",
    "datePublished": "2025-06-24T12:28:01.020Z",
    "dateReserved": "2025-06-20T14:51:35.561Z",
    "dateUpdated": "2025-11-03T20:07:05.987Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

OPENSUSE-SU-2025:15216-1

CVE-2025-6424 (GCVE-0-2025-6424)

CVE-2025-6425 (GCVE-0-2025-6425)

CVE-2025-6426 (GCVE-0-2025-6426)

CVE-2025-6429 (GCVE-0-2025-6429)

CVE-2025-6430 (GCVE-0-2025-6430)

Tags

Sightings

Nomenclature