CVE-2024-1547: 
NixOS vulnerability analysis and mitigation

CVE-2024-1547 is a high-impact security vulnerability affecting Mozilla Firefox versions prior to 123, Firefox ESR versions before 115.8, and Thunderbird versions before 115.8. The vulnerability was discovered by Irvan Kurniawan and publicly disclosed on February 20, 2024. The issue allows an attacker to display a malicious alert dialog on another website while showing the victim website's URL through a series of API calls and redirects (Mozilla Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. This indicates that the vulnerability can be exploited remotely, requires low attack complexity, needs no privileges, requires user interaction, and can result in high impact to integrity (NVD).

The vulnerability allows attackers to create spoofed alert dialogs that appear to come from legitimate websites, potentially leading to user confusion and deception. This could be used in phishing attacks or other social engineering attempts to trick users into taking unintended actions (Mozilla Advisory).

The vulnerability has been fixed in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8. Users are strongly advised to update their installations to these versions or newer. For Debian 10 users, fixed packages are available as version 115.8.0esr-1~deb10u1 for Firefox ESR and version 1:115.8.0-1~deb10u1 for Thunderbird (Debian Advisory).