CVE-2008-4696
published 2008-10-23CVE-2008-4696: Cross-site scripting (XSS) vulnerability in Opera.dll in Opera before 9.61 allows remote attackers to inject arbitrary web script or HTML via the anchor…
PriorityP430medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
45.73%
98.6th percentile
Cross-site scripting (XSS) vulnerability in Opera.dll in Opera before 9.61 allows remote attackers to inject arbitrary web script or HTML via the anchor identifier (aka the "optional fragment"), which is not properly escaped before storage in the History Search database (aka md.dat).
Affected
62 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| opera | opera | <= 9.61 | — |
| opera | opera | <= 9.6 | — |
| opera | opera | — | — |
| opera | opera | — | — |
| opera | opera | — | — |
| opera | opera | — | — |
| opera | opera | — | — |
| opera | opera | — | — |
| opera | opera | — | — |
| opera | opera | — | — |
| opera | opera | — | — |
| opera | opera | — | — |
| opera | opera | — | — |
| opera | opera | — | — |
| opera | opera | — | — |
| opera | opera | — | — |
| opera | opera | — | — |
| opera | opera | — | — |
| opera | opera | — | — |
| opera | opera | — | — |
| opera | opera | — | — |
| opera | opera | — | — |
| opera | opera | — | — |
| opera | opera | — | — |
| opera | opera | — | — |
Detection & IOCsextracted from sources · hover to see the quote
pathc:\Documents and Settings\user\Local Settings\Application Data\Opera\Opera\profile\vps\0000\md.dat↗
pathc:\Documents and Settings\user\Local Settings\Application Data\Opera\Opera\profile\cache4\opr000EA↗
- →Monitor for Opera browser processes writing to or reading from md.dat in the Opera profile vps directory, which stores history search data that is the target of the XSS injection. ↗
- →Detect navigation to opera:historysearch?q=* from within a page context, which is the trigger step used by the exploit to execute injected script stored in history. ↗
- →Detect use of opera.setPreference() to modify 'Mail'/'External Application' and 'Mail'/'Handler' settings via script, which is the mechanism used to achieve arbitrary command execution from the XSS context. ↗
- →Detect iframe creation with src set to opera:config from within a web page context, used by the exploit to access privileged Opera configuration from the historysearch XSS. ↗
- →Flag Opera versions between 9.50 and 9.61 as vulnerable; the exploit's own vuln_test checks parseFloat(opera.version()) for this range. ↗
- →In Opera 9.52, injection is also possible via the query string (e.g. ?a="><script>), not just the URL fragment — monitor for script tags in URL query parameters stored in Opera history. ↗
- ·The exploit targets Opera versions 9.50–9.61 only; Opera 9.60 partially fixed the issue but HTML encoding remained inconsistent for URL fragments. ↗
- ·The Metasploit module only implements a Unix/CMD target (ARCH_CMD); the Windows x86 target is commented out, so the command execution payload path applies to Unix systems. ↗
- ·The payload bad characters exclude tab, newline, carriage return, and space (\x09\x0a\x0d\x20), which constrains shellcode/command construction in the exploit. ↗
- ·History injection only takes effect after the Opera browser is closed and reopened, as md.dat is updated when the browser closes. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w52x-q56h-pqx3: Opera before 9
ghsa_unreviewed·2022-05-17·CVSS 4.3
CVE-2008-4794 [MEDIUM] CWE-20 GHSA-w52x-q56h-pqx3: Opera before 9
Opera before 9.62 allows remote attackers to execute arbitrary commands via the History Search results page, a different vulnerability than CVE-2008-4696.
GHSA
GHSA-hrm3-68f9-5g6j: Cross-site scripting (XSS) vulnerability in Opera
ghsa_unreviewed·2022-05-14·CVSS 4.3
CVE-2008-4725 [MEDIUM] CWE-79 GHSA-hrm3-68f9-5g6j: Cross-site scripting (XSS) vulnerability in Opera
Cross-site scripting (XSS) vulnerability in Opera.dll in Opera 9.52 allows remote attackers to inject arbitrary web script or HTML via the query string, which is not properly escaped before storage in the History Search database (aka md.dat), a different vector than CVE-2008-4696. NOTE: some of these issues were addressed before 9.60.
GHSA
GHSA-g928-9c86-8mr8: Cross-site scripting (XSS) vulnerability in Opera
ghsa_unreviewed·2022-05-14
CVE-2008-4696 [MEDIUM] CWE-79 GHSA-g928-9c86-8mr8: Cross-site scripting (XSS) vulnerability in Opera
Cross-site scripting (XSS) vulnerability in Opera.dll in Opera before 9.61 allows remote attackers to inject arbitrary web script or HTML via the anchor identifier (aka the "optional fragment"), which is not properly escaped before storage in the History Search database (aka md.dat).
No detection rules found.
Exploit-DB
Opera historysearch - Cross-Site Scripting (Metasploit)
exploitdb·2010-11-11
CVE-2008-4696 Opera historysearch - Cross-Site Scripting (Metasploit)
Opera historysearch - Cross-Site Scripting (Metasploit)
---
##
# $Id: opera_historysearch.rb 10998 2010-11-11 22:43:22Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 HttpClients::OPERA,
:javascript => true,
:rank => ExcellentRanking, # reliable command execution
:vuln_test => %Q{
v = parseFloat(opera.version());
if (9.5 v) {
is_vuln = true;
}
},
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Opera historysearch XSS',
'Description' => %q{
Certain constructs are not escaped correctly by Opera's History
Search result
Exploit-DB
Opera 9.50/9.61 historysearch - Command Execution (Metasploit)
exploitdb·2008-10-23
CVE-2008-4696 Opera 9.50/9.61 historysearch - Command Execution (Metasploit)
Opera 9.50/9.61 historysearch - Command Execution (Metasploit)
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
class Metasploit3 HttpClients::OPERA,
:javascript => true,
:rank => ExcellentRanking, # reliable command execution
:vuln_test => %Q{
v = parseFloat(opera.version());
if (9.5 v) {
is_vuln = true;
}
},
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Opera historysearch XSS',
'Description' => %q{
Certain constructs are not escaped correctly by Opera's History
Search results. These can be used to inject scripts i
Exploit-DB
Opera 9.60 - Persistent Cross-Site Scripting
exploitdb·2008-10-22
CVE-2008-4725 Opera 9.60 - Persistent Cross-Site Scripting
Opera 9.60 - Persistent Cross-Site Scripting
---
= Opera Stored Cross Site Scripting Vulnerability
=
= Vendor Website:
= http://www.opera.com
=
= Affected Version:
= -- All desktop versions
=
= Public disclosure on 22nd October 2008
=
Available online at:
http://www.security-assessment.com/files/advisories/2008-10-22_Opera_Stored_Cross_Site_Scripting.pdf
== Issue Details ==
Opera browser is vulnerable to stored Cross Site Scripting. A malicious attacker is able to inject arbitrary browser content through the
websites visited with the Opera browser. The code injection is rendered into the Opera History Search page which displays URL and a short
description of the visited pages.
== Bug Analysis ==
Opera.exe imports Opera.dll which handles most of the browser functionality.
Whenever a u
Metasploit
Opera historysearch XSS
metasploit
Opera historysearch XSS
Opera historysearch XSS
Certain constructs are not escaped correctly by Opera's History Search results. These can be used to inject scripts into the page, which can then be used to modify configuration settings and execute arbitrary commands. Affects Opera versions between 9.50 and 9.61.
No writeups or analysis indexed.
http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00009.htmlhttp://secunia.com/advisories/32299http://secunia.com/advisories/32394http://secunia.com/advisories/32538http://security.gentoo.org/glsa/glsa-200811-01.xmlhttp://securityreason.com/securityalert/4504http://www.openwall.com/lists/oss-security/2008/10/21/6http://www.openwall.com/lists/oss-security/2008/10/22/5http://www.opera.com/docs/changelogs/freebsd/961/http://www.opera.com/docs/changelogs/linux/961/http://www.opera.com/docs/changelogs/mac/961/http://www.opera.com/docs/changelogs/solaris/961/http://www.opera.com/docs/changelogs/windows/961/http://www.opera.com/support/search/view/903/http://www.security-assessment.com/files/advisories/2008-10-22_Opera_Stored_Cross_Site_Scripting.pdfhttp://www.securityfocus.com/archive/1/497646/100/0/threadedhttp://www.securityfocus.com/bid/31869http://www.vupen.com/english/advisories/2008/2873https://exchange.xforce.ibmcloud.com/vulnerabilities/46003https://www.exploit-db.com/exploits/6801http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00009.htmlhttp://secunia.com/advisories/32299http://secunia.com/advisories/32394http://secunia.com/advisories/32538http://security.gentoo.org/glsa/glsa-200811-01.xmlhttp://securityreason.com/securityalert/4504http://www.openwall.com/lists/oss-security/2008/10/21/6http://www.openwall.com/lists/oss-security/2008/10/22/5http://www.opera.com/docs/changelogs/freebsd/961/http://www.opera.com/docs/changelogs/linux/961/http://www.opera.com/docs/changelogs/mac/961/http://www.opera.com/docs/changelogs/solaris/961/http://www.opera.com/docs/changelogs/windows/961/http://www.opera.com/support/search/view/903/http://www.security-assessment.com/files/advisories/2008-10-22_Opera_Stored_Cross_Site_Scripting.pdfhttp://www.securityfocus.com/archive/1/497646/100/0/threadedhttp://www.securityfocus.com/bid/31869http://www.vupen.com/english/advisories/2008/2873https://exchange.xforce.ibmcloud.com/vulnerabilities/46003https://www.exploit-db.com/exploits/6801
2008-10-23
Published