CVE-2020-6809: 
NixOS vulnerability analysis and mitigation

CVE-2020-6809 is a security vulnerability discovered in Mozilla Firefox versions prior to 74.0 that allowed Web Extensions with the all-urls permission to access local files on a user's system. The vulnerability was disclosed on March 10, 2020, and affected Firefox browsers where Web Extensions could read local files when making fetch requests with mode set to 'same-origin' (Mozilla Advisory).

The vulnerability occurred when a Web Extension with the all-urls permission made a fetch request with mode set to 'same-origin', which allowed unauthorized access to local files on the system. This was possible because Firefox treated file:// URLs as same-origin when this specific mode was set, bypassing intended security restrictions. The vulnerability received a CVSS v3.1 Base Score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allowed malicious Web Extensions to read sensitive local files from a user's system without explicit user consent or awareness. This could potentially lead to unauthorized access to private data stored in local files, representing a significant privacy and security risk (Ubuntu Notice).

The vulnerability was fixed in Firefox version 74.0. Users were advised to update their Firefox installations to this version or later to protect against potential exploitation. After a standard system update, users needed to restart Firefox to apply all the necessary security changes (Ubuntu Notice).