CVE-2023-6869: 
NixOS vulnerability analysis and mitigation

A vulnerability in Firefox's dialog element handling (CVE-2023-6869) was discovered where a <dialog> element could be manipulated to paint content outside of a sandboxed iframe. This security flaw affects Firefox versions prior to 121 and could allow untrusted content to display under the guise of trusted content (Mozilla Advisory, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. The issue specifically involves the manipulation of dialog elements within sandboxed iframes, where the frame structure includes a transformed block with placeholders for dialog and fixed position elements. The vulnerability stems from incorrect handling of clipping and display item building in Firefox's painting code (NVD).

The vulnerability allows untrusted content from a sandboxed iframe to paint outside its boundaries and appear as if it were trusted content from the parent page. This could potentially be exploited for spoofing attacks where malicious content could be displayed under the guise of legitimate content from the trusted website (Mozilla Advisory).

The vulnerability has been fixed in Firefox version 121. Users are advised to upgrade to Firefox 121 or later to receive the security fix. For Gentoo Linux users, specific upgrade commands are available to update to the fixed versions (Gentoo Advisory).