CVE-2024-10460: 
NixOS vulnerability analysis and mitigation

CVE-2024-10460 is a security vulnerability discovered in Mozilla products that affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132. The vulnerability was disclosed on October 29, 2024, and involves a potential security issue where the origin of an external protocol handler prompt could be obscured using a data: URL within an iframe (Mozilla Advisory).

The vulnerability is classified with a moderate severity rating and has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) by NIST NVD with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. CISA-ADP has assigned a slightly different score of 5.4 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N. The vulnerability is categorized as CWE-346 (Origin Validation Error) (NVD).

The vulnerability could allow an attacker to obscure the origin of an external protocol handler prompt, potentially leading to confusion about the source of the prompt. This could result in users being misled about the origin of protocol handler requests, which may lead to security implications (Mozilla Advisory).

The vulnerability has been fixed in Firefox 132, Firefox ESR 128.4, Thunderbird 128.4, and Thunderbird 132. Users are advised to update their software to these versions or later to mitigate the vulnerability (Mozilla Advisory).