CVE-2020-6798: 
NixOS vulnerability analysis and mitigation

CVE-2020-6798 is a cross-site scripting (XSS) vulnerability discovered in Mozilla Firefox and Thunderbird that affects versions prior to Firefox 73, Firefox ESR 68.5, and Thunderbird 68.5. The vulnerability was disclosed on February 11, 2020. The issue occurs when a template tag is used in a select tag, causing the parser to become confused and allow JavaScript parsing and execution when it should not be allowed (Mozilla Advisory, NVD).

The vulnerability stems from incorrect parsing of template tags within select elements. When a template tag is used inside a select tag, the parser could become confused and allow JavaScript parsing and execution in contexts where it should be blocked. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

If exploited, this vulnerability could allow an attacker to conduct cross-site scripting (XSS) attacks against sites that rely on the browser behaving correctly. In Thunderbird, the risk is limited since scripting is disabled when reading mail, but the vulnerability remains a potential risk in browser or browser-like contexts (NVD).

The vulnerability was fixed in Firefox 73, Firefox ESR 68.5, and Thunderbird 68.5. Users are advised to upgrade to these versions or later. Various Linux distributions have also released security updates to address this vulnerability (Ubuntu Notice, Gentoo Advisory).