rpm package
suse/xdg-desktop-portal&distro=SUSE Enterprise Storage 7.1
pkg:rpm/suse/xdg-desktop-portal&distro=SUSE%20Enterprise%20Storage%207.1
Vulnerabilities (28)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-6430 | Med | 6.1 | < 1.8.0-150200.5.8.1 | 1.8.0-150200.5.8.1 | Jun 24, 2025 | When a file download is specified via the `Content-Disposition` header, that directive would be ignored if the file was included via a `<embed>` or `<object>` tag, potentially making a website vulnerable to a cross-site scripting attack. This vulnerability was fixed i | |
| CVE-2025-6429 | Med | 6.5 | < 1.8.0-150200.5.8.1 | 1.8.0-150200.5.8.1 | Jun 24, 2025 | Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability was fixed in Fi | |
| CVE-2025-6428 | Med | 4.3 | < 1.8.0-150200.5.8.1 | 1.8.0-150200.5.8.1 | Jun 24, 2025 | When a URL was provided in a link querystring parameter, Firefox for Android would follow that URL instead of the correct URL, potentially leading to phishing attacks. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.*. This vulnerability was f | |
| CVE-2025-6427 | Cri | 9.1 | < 1.8.0-150200.5.8.1 | 1.8.0-150200.5.8.1 | Jun 24, 2025 | An attacker was able to bypass the `connect-src` directive of a Content Security Policy by manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools. This vulnerability was fixed in Firefox 140 and Thunderbird 140. | |
| CVE-2025-6426 | Hig | 8.8 | < 1.8.0-150200.5.8.1 | 1.8.0-150200.5.8.1 | Jun 24, 2025 | The executable file warning did not warn users before opening files with the `terminal` extension. *This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox 140, Firefox ESR 128.12, Thunderbird 140, and Thunderb | |
| CVE-2025-6425 | Med | 4.3 | < 1.8.0-150200.5.8.1 | 1.8.0-150200.5.8.1 | Jun 24, 2025 | An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability was fixed in Firefox 140, Firefox ESR 115.2 | |
| CVE-2025-6424 | Cri | 9.8 | < 1.8.0-150200.5.8.1 | 1.8.0-150200.5.8.1 | Jun 24, 2025 | A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability was fixed in Firefox 140, Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12. | |
| CVE-2024-32462 | — | < 1.8.0-150200.5.6.1 | 1.8.0-150200.5.6.1 | Apr 18, 2024 | Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument |
- affected < 1.8.0-150200.5.8.1fixed 1.8.0-150200.5.8.1
When a file download is specified via the `Content-Disposition` header, that directive would be ignored if the file was included via a `<embed>` or `<object>` tag, potentially making a website vulnerable to a cross-site scripting attack. This vulnerability was fixed i
- affected < 1.8.0-150200.5.8.1fixed 1.8.0-150200.5.8.1
Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability was fixed in Fi
- affected < 1.8.0-150200.5.8.1fixed 1.8.0-150200.5.8.1
When a URL was provided in a link querystring parameter, Firefox for Android would follow that URL instead of the correct URL, potentially leading to phishing attacks. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.*. This vulnerability was f
- affected < 1.8.0-150200.5.8.1fixed 1.8.0-150200.5.8.1
An attacker was able to bypass the `connect-src` directive of a Content Security Policy by manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools. This vulnerability was fixed in Firefox 140 and Thunderbird 140.
- affected < 1.8.0-150200.5.8.1fixed 1.8.0-150200.5.8.1
The executable file warning did not warn users before opening files with the `terminal` extension. *This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox 140, Firefox ESR 128.12, Thunderbird 140, and Thunderb
- affected < 1.8.0-150200.5.8.1fixed 1.8.0-150200.5.8.1
An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability was fixed in Firefox 140, Firefox ESR 115.2
- affected < 1.8.0-150200.5.8.1fixed 1.8.0-150200.5.8.1
A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability was fixed in Firefox 140, Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12.
- CVE-2024-32462Apr 18, 2024affected < 1.8.0-150200.5.6.1fixed 1.8.0-150200.5.6.1
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument
Page 2 of 2