CVE-2024-1555: 
NixOS vulnerability analysis and mitigation

CVE-2024-1555 is a security vulnerability discovered in Firefox versions prior to 123 where SameSite cookies were not properly respected when using the firefox:// protocol handler. The vulnerability was discovered by Narendra Bhati and disclosed on February 20, 2024. This issue affects Firefox browser installations and could potentially bypass SameSite cookie protections (Mozilla Advisory).

The vulnerability occurs when opening a website using the firefox:// protocol handler, which is designed to enable Chromium extensions to open websites in Firefox. When a website is opened through this protocol from an external browser, the SameSite cookie protections are not properly enforced, allowing cookies marked as SameSite=Strict to be sent in cross-site contexts. The issue has been assigned a CVSS base score of 8.3 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L (NVD).

The vulnerability could lead to Cross-Site Request Forgery (CSRF) attacks by bypassing SameSite cookie protections. This could allow attackers to perform unauthorized actions on behalf of authenticated users, potentially leading to account settings changes, unauthorized transactions, or other privileged actions. Additionally, the bypass could enable cross-site tracking and reduce the effectiveness of web security measures that rely on SameSite cookie protections (Mozilla Bugzilla).

The vulnerability has been fixed in Firefox version 123. Users are advised to update their Firefox installations to version 123 or later to receive the security fix. The fix involves modifying the firefox and firefox-private protocol handler behavior to properly respect SameSite cookie restrictions (Mozilla Advisory).