QwikSec

Security Database

CVE

CWE

Training

CVE-2009-3266

Published: Sep 18, 2009

Modified: Aug 7, 2024

PUBLISHED

Description

Opera before 10.01 does not properly restrict HTML in a (1) RSS or (2) Atom feed, which allows remote attackers to conduct cross-site scripting (XSS) attacks, and conduct cross-zone scripting attacks involving the Feed Subscription Page to read feeds or create feed subscriptions, via a crafted feed, related to the rendering of the application/rss+xml content type as "scripted content."

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

http://www.opera.com/support/kb/view/939/

x_refsource_CONFIRM

vdb-entry

x_refsource_VUPEN

20090916 Exploiting Chrome and Opera's inbuilt ATOM/RSS reader with Script Execution and more

mailing-list

x_refsource_BUGTRAQ

20091028 Hijacking Opera's Native Page using malicious RSS payloads

mailing-list

x_refsource_BUGTRAQ

http://securethoughts.com/2009/10/hijacking-operas-native-page-using-malicious-rss-payloads/

x_refsource_MISC

vdb-entry

x_refsource_OSVDB

http://www.opera.com/docs/changelogs/unix/1001/

x_refsource_CONFIRM

third-party-advisory

x_refsource_SECUNIA

vdb-entry

x_refsource_BID

http://securethoughts.com/2009/09/exploiting-chrome-and-operas-inbuilt-atomrss-reader-with-script-execution-and-more/

x_refsource_MISC

vdb-entry

x_refsource_BID

opera-feed-security-bypass(54021)

vdb-entry

x_refsource_XF

oval:org.mitre.oval:def:6314

vdb-entry

signature

x_refsource_OVAL

http://www.opera.com/docs/changelogs/mac/1001/

x_refsource_CONFIRM

http://www.opera.com/docs/changelogs/windows/1001/

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.