Sdna.Muneaki.Nishimura

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 46.0 **Description** The issue allows remote attackers to bypass the Content Security Policy (CSP) protection mechanism. This is achieved via the `multipart/x-mixed-replace` content type. The vulnerability is related to insufficient access control in the browser. **Recommendations** For versions prior to 46.0, update to version 46.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `multipart/x-mixed-replace` content type until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 36.0 **Description** The issue arises from the improper recognition of domain name equivalence with and without a trailing dot character, allowing man-in-the-middle attackers to bypass HPKP and HSTS protection mechanisms. This is achieved by constructing a URL with the trailing dot character and leveraging access to an X.509 certificate for a domain with this character. **Recommendations** For versions prior to 36.0, update to version 36.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 35.0 Firefox ESR versions 31.x prior to 31.4 Thunderbird versions prior to 31.4 SeaMonkey versions prior to 2.32 **Description** The issue allows remote attackers to bypass intended CORS access-control checks and conduct cross-site request forgery (CSRF) attacks via a crafted web site, due to the omission of the CORS Origin header in the navigator.sendBeacon implementation. **Recommendations** For Mozilla Firefox versions prior to 35.0, update to version 35.0 or later. For Firefox ESR versions 31.x prior to 31.4, update to version 31.4 or later. For Thunderbird versions prior to 31.4, update to version 31.4 or later. For SeaMonkey versions prior to 2.32, update to version 2.32 or later.