CVE-2024-10458: 
NixOS vulnerability analysis and mitigation

A permission leak vulnerability (CVE-2024-10458) was discovered that could allow information to leak from a trusted site to an untrusted site through embed or object elements. The vulnerability affects multiple Mozilla products including Firefox < 132, Firefox ESR < 128.4, Firefox ESR < 115.17, Thunderbird < 128.4, and Thunderbird < 132. The issue was reported by security researcher James Lee and was publicly disclosed on October 29, 2024 (Mozilla Advisory).

The vulnerability has been assigned a high severity rating with a CVSS v3.1 base score of 7.5 (HIGH) by NVD and 6.5 (MEDIUM) by CISA-ADP. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating that the vulnerability can be exploited over the network with low attack complexity, requires no privileges or user interaction, and primarily impacts confidentiality (NVD).

The vulnerability allows unauthorized access to information through permission leakage between trusted and untrusted sites. This could potentially lead to sensitive data exposure when a trusted site's permissions are leaked to an untrusted site through embedded elements (Mozilla Advisory).

Mozilla has released security updates to address this vulnerability. Users should upgrade to Firefox 132.0, Firefox ESR 128.4.0, Firefox ESR 115.17, Thunderbird 128.4.0, or Thunderbird 132.0, depending on their product version (Mozilla Advisory).