CVE-2024-10462: 
NixOS vulnerability analysis and mitigation

CVE-2024-10462 is a security vulnerability discovered in Mozilla products where truncation of a long URL could enable origin spoofing in permission prompts. The vulnerability affects Firefox versions before 132, Firefox ESR versions before 128.4, Thunderbird versions before 128.4, and Thunderbird versions before 132. This issue was reported by security researcher Hafiizh and was publicly disclosed on October 29, 2024 (Mozilla Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. This indicates that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges, but does require user interaction. The scope is unchanged, with no impact on confidentiality, high impact on integrity, and no impact on availability (NVD).

The vulnerability could allow an attacker to spoof the origin in permission prompts through URL truncation, potentially leading to users granting permissions to unintended origins. This represents a significant security risk as it could enable malicious websites to gain unauthorized permissions by masquerading as trusted sites (Mozilla Advisory).

The vulnerability has been fixed in Firefox 132, Firefox ESR 128.4, Thunderbird 128.4, and Thunderbird 132. Users are advised to update their software to these versions or newer to protect against this vulnerability (Mozilla Advisory).