4.3

CVE-2009-3013

Exploit

Opera 9.52 and earlier, and 10.00 Beta 3 Build 1699, does not properly block data: URIs in Location headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Location header that contains JavaScript sequences in a data:text/html URI or (2) entering a data:text/html URI with JavaScript sequences when specifying the content of a Location header.  NOTE: the JavaScript executes outside of the context of the HTTP site.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OperaOpera Browser Version <= 9.52
OperaOpera Browser Version7.0
OperaOpera Browser Version7.23
OperaOpera Browser Version7.53
OperaOpera Browser Version7.54
OperaOpera Browser Version7.60
OperaOpera Browser Version8.0
OperaOpera Browser Version8.01
OperaOpera Browser Version8.02
OperaOpera Browser Version8.50
OperaOpera Browser Version8.51
OperaOpera Browser Version8.52
OperaOpera Browser Version8.53
OperaOpera Browser Version8.54
OperaOpera Browser Version9.0
OperaOpera Browser Version9.01
OperaOpera Browser Version9.02
OperaOpera Browser Version9.10
OperaOpera Browser Version9.12
OperaOpera Browser Version9.20
OperaOpera Browser Version9.21
OperaOpera Browser Version9.22
OperaOpera Browser Version9.51
OperaOpera Browser Version10.00 Updatebeta_3
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.28% 0.481
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.