CVE-2009-3013Cross-site Scripting in Browser

CWE-79Cross-site Scripting3 documents3 sources
Severity
4.3MEDIUMNVD
EPSS
0.3%
top 48.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Opera Browser
Timeline
PublishedAug 31
Latest updateMay 2

Description

Opera 9.52 and earlier, and 10.00 Beta 3 Build 1699, does not properly block data: URIs in Location headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Location header that contains JavaScript sequences in a data:text/html URI or (2) entering a data:text/html URI with JavaScript sequences when specifying the content of a Location header. NOTE: the JavaScript executes outside of the context of the HTTP site.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

NVDopera/opera_browser9.52+23

🔴Vulnerability Details

2
GHSA
GHSA-hr3q-997w-pw4x: Opera 92022-05-02
CVEList
CVE-2009-3013: Opera 92009-08-31
CVE-2009-3013 — Cross-site Scripting in Opera Browser | cvebase