CVE-2024-8383: 
NixOS vulnerability analysis and mitigation

CVE-2024-8383 is a security vulnerability discovered in Mozilla Firefox that affects Firefox versions prior to 130, Firefox ESR versions prior to 128.2, and Firefox ESR versions prior to 115.15. The vulnerability was disclosed on September 3, 2024, and relates to how Firefox handles certain URI schemes (Mozilla Advisory).

The vulnerability stems from Firefox's handling of Usenet-related schemes (news: and snews:). Normally, Firefox requests user confirmation before asking the operating system to handle unsupported schemes. However, for these specific schemes, the browser bypassed this confirmation step. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating network accessibility with low attack complexity (NVD).

The vulnerability could allow a malicious website to launch an application without user consent. Since most operating systems don't have a trusted newsreader installed by default, an attacker could exploit this by having a user download a malicious program that registers itself as a handler for these schemes. Subsequently, the website that served the malicious application could launch it at will (Mozilla Advisory).

The vulnerability has been fixed in Firefox 130, Firefox ESR 128.2, and Firefox ESR 115.15. Users are advised to update their Firefox installations to these versions or later to mitigate the vulnerability (Mozilla Advisory).