CVE-2022-3032: 
NixOS vulnerability analysis and mitigation

CVE-2022-3032 is a security vulnerability affecting Mozilla Thunderbird versions prior to 102.2.1 and 91.13.1. The vulnerability involves the handling of HTML emails containing iframe elements with srcdoc attributes. When such an email is received, remote objects (like images or videos) specified in the nested HTML document were not properly blocked, leading to unauthorized network access and content loading (Mozilla Advisory).

The vulnerability is classified with a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. It is categorized as CWE-610 (Externally Controlled Reference to a Resource in Another Sphere). The issue specifically occurs when processing HTML emails containing iframe elements that use the srcdoc attribute to define inner HTML documents, where the email client fails to enforce content blocking policies for remote resources specified within these nested documents (NVD).

The vulnerability allows remote content specified in nested HTML documents to bypass Thunderbird's content blocking mechanisms. When exploited, the vulnerability enables the loading and display of remote objects such as images or videos that should have been blocked, potentially exposing users to unauthorized network connections and content loading (Mozilla Advisory).

The vulnerability has been fixed in Thunderbird versions 102.2.1 and 91.13.1. Users are advised to upgrade to these or later versions to protect against this security issue (Mozilla Advisory).