CVE-2024-11694: 
NixOS vulnerability analysis and mitigation

CVE-2024-11694 is a security vulnerability discovered in Mozilla's Enhanced Tracking Protection's Strict mode that affects multiple Mozilla products including Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, Thunderbird < 128.5, and Thunderbird < 115.18. The vulnerability was reported by security researcher Masato Kinugawa and was publicly disclosed on November 26, 2024 (Mozilla Advisory).

The vulnerability involves a CSP frame-src bypass and DOM-based Cross-Site Scripting (XSS) through the Google SafeFrame shim in the Web Compatibility extension. The issue has been assigned a moderate severity rating with a CVSS v3.1 base score of 6.1 (MEDIUM) and vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

This security flaw could expose users to malicious frames masquerading as legitimate content, potentially leading to unauthorized access to user data or execution of malicious code. In Thunderbird, while the vulnerability exists, it cannot be exploited through email directly as scripting is disabled when reading mail, but remains a potential risk in browser-like contexts (Mozilla Advisory).

The vulnerability has been patched in Firefox 133, Firefox ESR 128.5, Firefox ESR 115.18, Thunderbird 133, Thunderbird 128.5, and Thunderbird 115.18. Users are advised to update their software to these versions or later to mitigate the risk (Mozilla Advisory).