CVE-2024-1550: 
NixOS vulnerability analysis and mitigation

CVE-2024-1550 is a security vulnerability affecting Mozilla Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8. The vulnerability allows a malicious website to manipulate the user's mouse cursor position by exploiting a combination of exiting fullscreen mode and requestPointerLock functionality, potentially leading to users inadvertently granting permissions they did not intend to grant (Mozilla Advisory).

The vulnerability stems from improper handling of mouse position restoration after releasing pointer lock. When pointer lock is requested, the system stores the mouse position and attempts to reset it to the same position after pointer lock is released. However, these actions were handled in the content process, which might not always know the precise position of the mouse, leading to unexpected behavior. In cases where the mouse position is unknown, it would reset to the top-left of content (Bugzilla). The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability could lead to user confusion and result in users unintentionally granting permissions to malicious websites. This creates a potential security risk where attackers could trick users into approving permissions they didn't mean to grant (Mozilla Advisory).

The vulnerability has been fixed in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8. The fix involves using sLastScreenPoint to restore the mouse position after releasing pointer lock. Users are advised to update their browsers to these versions or newer to mitigate the vulnerability (Mozilla Advisory, Debian Advisory).