CVE-2023-4054: 
NixOS vulnerability analysis and mitigation

CVE-2023-4054 is a security vulnerability discovered in Mozilla Firefox and Thunderbird that affects Windows systems. When opening appref-ms files (ClickOnce application reference files), Firefox did not warn users that these files may contain malicious code. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, Firefox ESR < 115.1, Thunderbird < 102.14, and Thunderbird < 115.1, but only impacts Windows operating systems (Mozilla Advisory, NVD).

The vulnerability is rated with a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. This indicates that the vulnerability requires local access and user interaction, has no impact on confidentiality or availability, but has a high impact on integrity. The issue specifically relates to the handling of .appref-ms files, which are ClickOnce application reference files that can contain potentially malicious code (NVD).

The vulnerability could allow malicious actors to execute harmful code through .appref-ms files without triggering appropriate security warnings to users. This creates a potential security risk where users might unknowingly execute malicious code through these files. The impact is limited to Windows systems, as other operating systems are unaffected by this vulnerability (Mozilla Advisory).

The vulnerability has been fixed in Firefox 116, Firefox ESR 102.14, Firefox ESR 115.1, Thunderbird 102.14, and Thunderbird 115.1. Users should update their Firefox and Thunderbird installations to these versions or newer to receive the security fix. The fix implements appropriate warning messages when attempting to open .appref-ms files (Mozilla Advisory).