---

CVE-2016-9901 - log back

CVE-2016-9901 created at 25 Sep 2019 19:31:40
Severity	+ Medium
Remote	+ Remote
Type	+ Insufficient validation
Description	+ HTML tags received from the Pocket server will be processed without sanitization and any JavaScript code executed will be run in the about:pocket-saved (unprivileged) page, giving it access to Pocket's messaging API through HTML injection.
References	+ https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/#CVE-2016-9901
Notes