CVE-2024-10461: 
NixOS vulnerability analysis and mitigation

CVE-2024-10461 is a security vulnerability discovered in Mozilla products where in multipart/x-mixed-replace responses, the Content-Disposition: attachment in the response header was not respected and did not force a download, potentially allowing XSS (Cross-Site Scripting) attacks. This vulnerability affects Firefox versions before 132, Firefox ESR versions before 128.4, Thunderbird versions before 128.4, and Thunderbird versions before 132 (Mozilla Advisory).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, requires user interaction, has changed scope, and can impact both confidentiality and integrity but not availability. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD).

The vulnerability could allow attackers to perform XSS attacks when the Content-Disposition: attachment header in multipart/x-mixed-replace responses is not properly enforced. For Thunderbird specifically, these flaws cannot be exploited through email because scripting is disabled when reading mail, but they remain potential risks in browser or browser-like contexts (Mozilla Advisory).

The vulnerability has been fixed in Firefox 132, Firefox ESR 128.4, Thunderbird 128.4, and Thunderbird 132. Users are advised to update their software to these versions or later to mitigate the risk (Mozilla Advisory).