CVE-2016-9902

CVE-2016-9902

Name

CVE-2016-9902

Description

The Pocket toolbar button, once activated, listens for events fired from it's own pages but does not verify the origin of incoming events. This allows content from other origins to fire events and inject content and commands into the Pocket context. Note: this issue does not affect users with e10s enabled. This vulnerability affects Firefox ESR < 45.6 and Firefox < 50.1.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Third Party Advisory	http://rhn.redhat.com/errata/RHSA-2016-2946.html
Third Party Advisory	http://rhn.redhat.com/errata/RHSA-2016-2973.html
Third Party Advisory	http://www.securityfocus.com/bid/94885
Third Party Advisory	http://www.securitytracker.com/id/1037461
Exploit	https://bugzilla.mozilla.org/show_bug.cgi?id=1320039
Third Party Advisory	https://security.gentoo.org/glsa/201701-15
Vendor Advisory	https://www.mozilla.org/security/advisories/mfsa2016-94/
Vendor Advisory	https://www.mozilla.org/security/advisories/mfsa2016-95/

Type

URI

Third Party Advisory

http://rhn.redhat.com/errata/RHSA-2016-2946.html

Third Party Advisory

http://rhn.redhat.com/errata/RHSA-2016-2973.html

Third Party Advisory

http://www.securityfocus.com/bid/94885

Third Party Advisory

http://www.securitytracker.com/id/1037461

Exploit

https://bugzilla.mozilla.org/show_bug.cgi?id=1320039

Third Party Advisory

https://security.gentoo.org/glsa/201701-15

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2016-94/

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2016-95/

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:::::::*`	enterprise_linux_desktop	== None	== 5.0
`cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*`	enterprise_linux_desktop	== None	== 6.0
`cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*`	enterprise_linux_desktop	== None	== 7.0
`cpe:2.3:o:redhat:enterprise_linux_server:5.0:::::::*`	enterprise_linux_server	== None	== 5.0
`cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*`	enterprise_linux_server	== None	== 6.0
`cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*`	enterprise_linux_server	== None	== 7.0
`cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:::::::*`	enterprise_linux_server_aus	== None	== 7.3
`cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:::::::*`	enterprise_linux_server_aus	== None	== 7.4
`cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3:::::::*`	enterprise_linux_server_eus	== None	== 7.3
`cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:::::::*`	enterprise_linux_server_eus	== None	== 7.4
`cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:::::::*`	enterprise_linux_server_eus	== None	== 7.5
`cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:::::::*`	enterprise_linux_workstation	== None	== 5.0
`cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*`	enterprise_linux_workstation	== None	== 6.0
`cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*`	enterprise_linux_workstation	== None	== 7.0

CPE URI

Source package

Min version

Max version

cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*

enterprise_linux_desktop

== None

== 5.0

cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*

enterprise_linux_desktop

== None

== 6.0

cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*

enterprise_linux_desktop

== None

== 7.0

cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*

enterprise_linux_server

== None

== 5.0

cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*

enterprise_linux_server

== None

== 6.0

cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*

enterprise_linux_server

== None

== 7.0

cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*

enterprise_linux_server_aus

== None

== 7.3

cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*

enterprise_linux_server_aus

== None

== 7.4

cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3:*:*:*:*:*:*:*

enterprise_linux_server_eus

== None

== 7.3

cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*

enterprise_linux_server_eus

== None

== 7.4

cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*

enterprise_linux_server_eus

== None

== 7.5

cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*

enterprise_linux_workstation

== None

== 5.0

cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*

enterprise_linux_workstation

== None

== 6.0

cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

enterprise_linux_workstation

== None

== 7.0

References

Match rules

Vulnerable and fixed packages