CVE-2009-3013: XSS

First published: Mon Aug 31 2009(Updated: )

Opera 9.52 and earlier, and 10.00 Beta 3 Build 1699, does not properly block data: URIs in Location headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Location header that contains JavaScript sequences in a data:text/html URI or (2) entering a data:text/html URI with JavaScript sequences when specifying the content of a Location header. NOTE: the JavaScript executes outside of the context of the HTTP site.

Credit: cve@mitre.org

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/nvd-historical
• collector/nvd-index
• agent/weakness
• agent/severity
• agent/references
• agent/author
• agent/type
• agent/description
• agent/event
• agent/last-modified-date
• agent/softwarecombine
• agent/first-publish-date
• agent/tags
• collector/mitre-cve
• source/MITRE
• vendor/opera
• canonical/opera opera browser
• version/opera opera browser/7.23
• version/opera opera browser/9.02
• version/opera opera browser/7.53
• version/opera opera browser/8.50
• version/opera opera browser/9.51
• version/opera opera browser/8.53
• version/opera opera browser/9.12
• version/opera opera browser/8.0
• version/opera opera browser/9.52
• version/opera opera browser/8.54
• version/opera opera browser/8.02
• version/opera opera browser/9.20
• version/opera opera browser/9.21
• version/opera opera browser/8.51
• version/opera opera browser/7.60
• version/opera opera browser/7.54
• version/opera opera browser/9.22
• version/opera opera browser/9.01
• version/opera opera browser/9.0
• version/opera opera browser/9.10
• version/opera opera browser/8.52
• version/opera opera browser/10.00-beta_3
• version/opera opera browser/8.01
• version/opera opera browser/7.0