CVE-2016-9902
moderate-risk
Published 2018-06-11
The Pocket toolbar button, once activated, listens for events fired from it's own pages but does not verify the origin of incoming events. This allows content from other origins to fire events and inject content and commands into the Pocket context. Note: this issue does not affect users with e10s enabled. This vulnerability affects Firefox ESR < 45.6 and Firefox < 50.1.
Do I need to act?
-
0.41% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (15)
References (16)
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-2946.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-2973.html
Third Party Advisory
http://www.securityfocus.com/bid/94885
Third Party Advisory
http://www.securitytracker.com/id/1037461
Third Party Advisory
https://security.gentoo.org/glsa/201701-15
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2016-94/
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2016-95/
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-2946.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-2973.html
Third Party Advisory
http://www.securityfocus.com/bid/94885
Third Party Advisory
http://www.securitytracker.com/id/1037461
Third Party Advisory
https://security.gentoo.org/glsa/201701-15
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2016-94/
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2016-95/
46
/ 100
moderate-risk
Severity
26/34 · High
Exploitability
2/34 · Minimal
Exposure
18/34 · Moderate