### [CVE-2018-5164](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5164)
![](https://img.shields.io/static/v1?label=Product&message=Firefox&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3C%2060%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CSP%20not%20applied%20to%20all%20multipart%20content%20sent%20with%20multipart%2Fx-mixed-replace&color=brighgreen)

### Description

Content Security Policy (CSP) is not applied correctly to all parts of multipart content sent with the "multipart/x-mixed-replace" MIME type. This could allow for script to run where CSP should block it, allowing for cross-site scripting (XSS) and other attacks. This vulnerability affects Firefox < 60.

### POC

#### Reference
- https://bugzilla.mozilla.org/show_bug.cgi?id=1416045

#### Github
- https://github.com/V1n1v131r4/Bypass-CSP-against-MIME-Confusion-Attack
- https://github.com/octane23/CASE-STUDY-1