cbcvebase.
CVE-2008-4696
published 2008-10-23

CVE-2008-4696: Cross-site scripting (XSS) vulnerability in Opera.dll in Opera before 9.61 allows remote attackers to inject arbitrary web script or HTML via the anchor…

PriorityP430medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
45.73%
98.6th percentile
Cross-site scripting (XSS) vulnerability in Opera.dll in Opera before 9.61 allows remote attackers to inject arbitrary web script or HTML via the anchor identifier (aka the "optional fragment"), which is not properly escaped before storage in the History Search database (aka md.dat).

Affected

62 ranges· showing 25
VendorProductVersion rangeFixed in
operaopera<= 9.61
operaopera<= 9.6
operaopera
operaopera
operaopera
operaopera
operaopera
operaopera
operaopera
operaopera
operaopera
operaopera
operaopera
operaopera
operaopera
operaopera
operaopera
operaopera
operaopera
operaopera
operaopera
operaopera
operaopera
operaopera
operaopera

Detection & IOCsextracted from sources · hover to see the quote

pathc:\Documents and Settings\user\Local Settings\Application Data\Opera\Opera\profile\vps\0000\md.dat
pathc:\Documents and Settings\user\Local Settings\Application Data\Opera\Opera\profile\cache4\opr000EA
urlopera:historysearch?q=*
urlopera:config
filenamemd.dat
  • Monitor for Opera browser processes writing to or reading from md.dat in the Opera profile vps directory, which stores history search data that is the target of the XSS injection.
  • Detect navigation to opera:historysearch?q=* from within a page context, which is the trigger step used by the exploit to execute injected script stored in history.
  • Detect use of opera.setPreference() to modify 'Mail'/'External Application' and 'Mail'/'Handler' settings via script, which is the mechanism used to achieve arbitrary command execution from the XSS context.
  • Detect iframe creation with src set to opera:config from within a web page context, used by the exploit to access privileged Opera configuration from the historysearch XSS.
  • Flag Opera versions between 9.50 and 9.61 as vulnerable; the exploit's own vuln_test checks parseFloat(opera.version()) for this range.
  • In Opera 9.52, injection is also possible via the query string (e.g. ?a="><script>), not just the URL fragment — monitor for script tags in URL query parameters stored in Opera history.
  • ·The exploit targets Opera versions 9.50–9.61 only; Opera 9.60 partially fixed the issue but HTML encoding remained inconsistent for URL fragments.
  • ·The Metasploit module only implements a Unix/CMD target (ARCH_CMD); the Windows x86 target is commented out, so the command execution payload path applies to Unix systems.
  • ·The payload bad characters exclude tab, newline, carriage return, and space (\x09\x0a\x0d\x20), which constrains shellcode/command construction in the exploit.
  • ·History injection only takes effect after the Opera browser is closed and reopened, as md.dat is updated when the browser closes.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.