I don’t know how this can be considered a Vulnerability, as it requires downloading any other wallet application or a fake Ledger Live to succeed. It also requires the user not to pay attention or not to cancel the transaction completely when he gets an error?
The strange thing is, why did the firmware update take about 90 days? I thought it was similar to what happened with Electrum, just upgrading to prevent popup notifications would suffice.
Edit:
Unfortunately, some third-party tools do not allow hardware wallets to obtain the previous transaction in case of SegWit inputs, which is why Trezor will not be able to sign transactions using these tools until they are updated to work correctly. Due to the responsible disclosure process, we were not able to inform the maintainers beforehand.
Web-based applications
It seems that the problem with third-party tools & obtain the previous transaction.