CVE-2023-6211: 
NixOS vulnerability analysis and mitigation

CVE-2023-6211 is a clickjacking vulnerability discovered in Firefox versions prior to 120. The vulnerability was identified by Muneaki Nishimura and disclosed on November 21, 2023. It specifically affects Firefox's HTTPS-only mode feature, where an attacker could exploit user interactions to bypass security protections (Mozilla Advisory, NVD).

The vulnerability stems from the lack of an activation delay implementation in the HTTPS-Only mode disable button. When a user has HTTPS-only mode enabled, an attacker could trick them into clicking to grant an HTTPS-only exception through a clicking game mechanism. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, indicating network vector attack with low complexity but requiring user interaction (NVD).

The vulnerability allows attackers to potentially bypass HTTPS-only mode security protections, enabling the loading of insecure HTTP pages that would normally be blocked. This could expose users to various security risks associated with unencrypted HTTP connections. The impact is considered low severity due to the requirement of specific user interaction and the fact that HTTPS-only mode is an opt-in feature (Mozilla Advisory).

The vulnerability was fixed in Firefox version 120. Users are advised to upgrade to Firefox 120 or later to receive the security patch. The fix implements a proper delay mechanism for the HTTPS-only mode disable button to prevent clickjacking attacks (Mozilla Advisory, Gentoo Advisory).