CVE-2016-9902

HIGH

Redhat Enterprise Linux Desktop < 45.6.0 - Origin Validation Error

Title source: rule

Description

The Pocket toolbar button, once activated, listens for events fired from it's own pages but does not verify the origin of incoming events. This allows content from other origins to fire events and inject content and commands into the Pocket context. Note: this issue does not affect users with e10s enabled. This vulnerability affects Firefox ESR < 45.6 and Firefox < 50.1.

References (8)

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2016-2946.html

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2016-2973.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/94885

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1037461

[Exploit, Issue Tracking, Patch] https://bugzilla.mozilla.org/show_bug.cgi?id=1320039

[Third Party Advisory] https://security.gentoo.org/glsa/201701-15

[Vendor Advisory] https://www.mozilla.org/security/advisories/mfsa2016-94/

[Vendor Advisory] https://www.mozilla.org/security/advisories/mfsa2016-95/

Scores

CVSS v3 7.5

EPSS 0.0041

EPSS Percentile 61.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Classification

CWE

CWE-346

Status published

Affected Products (15)

redhat/enterprise_linux_desktop

redhat/enterprise_linux_desktop

redhat/enterprise_linux_desktop

redhat/enterprise_linux_server

redhat/enterprise_linux_server

redhat/enterprise_linux_server

redhat/enterprise_linux_server_aus

redhat/enterprise_linux_server_aus

redhat/enterprise_linux_server_eus

redhat/enterprise_linux_server_eus

redhat/enterprise_linux_server_eus

redhat/enterprise_linux_workstation

redhat/enterprise_linux_workstation

redhat/enterprise_linux_workstation

mozilla/firefox < 45.6.0

Timeline

Published Jun 11, 2018

Tracked Since Feb 18, 2026