CVE-2020-6813: 
NixOS vulnerability analysis and mitigation

CVE-2020-6813 is a security vulnerability discovered in Firefox versions prior to 74.0 that affects the Content Security Policy (CSP) nonce feature. When protecting CSS blocks with the nonce feature of Content Security Policy, the @import statement in the CSS block could allow an attacker to inject arbitrary styles, bypassing the intended security protections (Mozilla Advisory, NVD).

The vulnerability exists in the way Firefox handles CSS @import statements within style blocks that are protected by CSP nonces. When a style block is protected with a nonce-based CSP, the @import statement within that block could still load external stylesheets, effectively bypassing the CSP protection. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD).

The vulnerability allows attackers to bypass Content Security Policy protections and inject arbitrary styles into protected web pages. This could potentially be used to exfiltrate sensitive content data or manipulate the page's appearance in ways that weren't intended by the CSP (Mozilla Bug).

The vulnerability was fixed in Firefox 74.0. Users should upgrade to Firefox version 74.0 or later to receive the security fix. The fix prevents the inheritance of CSP nonces when loading child stylesheets through @import statements (Mozilla Bug).