CVE-2013-1638
published 2013-02-08CVE-2013-1638: Opera before 12.13 allows remote attackers to execute arbitrary code via crafted clipPaths in an SVG document.
PriorityP260critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
8.04%
94.1th percentile
Opera before 12.13 allows remote attackers to execute arbitrary code via crafted clipPaths in an SVG document.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| opera | opera_browser | <= 12.12 | — |
| opera | opera_browser | — | — |
| opera | opera_browser | — | — |
| opera | opera_browser | — | — |
| opera | opera_browser | — | — |
| opera | opera_browser | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is triggered via crafted SVG documents containing malicious clipPath elements; inspect SVG content served to Opera < 12.13 for nested or malformed <clipPath> definitions. ↗
- →Use-After-Free crash manifests as a call through a dangling pointer at Opera module offset 0xf8583 (Opera_6b430000+0xbc998b); crash telemetry or exploit-kit traffic targeting this offset is indicative of exploitation. ↗
- →The freed object at ECX=077c45e0 is largely zeroed (heap spray / controlled memory pattern); large blocks of null bytes followed by a vtable-like pointer (92 48 fe 7f) at the start of the freed chunk are characteristic of heap-spray exploitation of this UAF. ↗
- ·The exploit targets Opera versions prior to 12.13 only; Opera 12.13 and later are not affected by this specific SVG clipPath UAF code path. ↗
- ·The crash address (6b8c998b) and module base (Opera_6b430000) are specific to the tested build; ASLR or different Opera builds will shift these addresses, so signature-based detection should focus on the SVG payload structure rather than hardcoded addresses. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://lists.opensuse.org/opensuse-updates/2013-02/msg00038.htmlhttp://www.opera.com/docs/changelogs/unified/1213/http://www.opera.com/support/kb/view/1043/http://lists.opensuse.org/opensuse-updates/2013-02/msg00038.htmlhttp://www.opera.com/docs/changelogs/unified/1213/http://www.opera.com/support/kb/view/1043/
2013-02-08
Published