CVE-2016-9902
HIGHRedhat Enterprise Linux Desktop < 45.6.0 - Origin Validation Error
Title source: ruleDescription
The Pocket toolbar button, once activated, listens for events fired from it's own pages but does not verify the origin of incoming events. This allows content from other origins to fire events and inject content and commands into the Pocket context. Note: this issue does not affect users with e10s enabled. This vulnerability affects Firefox ESR < 45.6 and Firefox < 50.1.
References (8)
Core 8
Core References
Vendor Advisory x_refsource_confirm
https://www.mozilla.org/security/advisories/mfsa2016-94/
Vendor Advisory x_refsource_confirm
https://www.mozilla.org/security/advisories/mfsa2016-95/
Exploit, Issue Tracking, Patch x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=1320039
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/94885
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1037461
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201701-15
Third Party Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-2973.html
Third Party Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-2946.html
Scores
CVSS v3
7.5
EPSS
0.0041
EPSS Percentile
61.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-346
Status
published
Products (15)
mozilla/firefox
< 45.6.0
redhat/enterprise_linux_desktop
5.0
redhat/enterprise_linux_desktop
6.0
redhat/enterprise_linux_desktop
7.0
redhat/enterprise_linux_server
5.0
redhat/enterprise_linux_server
6.0
redhat/enterprise_linux_server
7.0
redhat/enterprise_linux_server_aus
7.3
redhat/enterprise_linux_server_aus
7.4
redhat/enterprise_linux_server_eus
7.3
... and 5 more
Published
Jun 11, 2018
Tracked Since
Feb 18, 2026