# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2019-13607 |
79 |
|
XSS |
2019-07-18 |
2019-08-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
The Opera Mini application through 16.0.14 for iOS has a UXSS vulnerability that can be triggered by performing navigation to a javascript: URL. |
2 |
CVE-2018-6608 |
200 |
|
+Info |
2018-03-28 |
2018-04-23 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
In the WebRTC component in Opera 51.0.2830.55, after visiting a web site that attempts to gather complete client information (such as https://ip.voidsec.com), the browser can disclose a private IP address in a STUN request. |
3 |
CVE-2015-4000 |
310 |
|
|
2015-05-20 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue. |
4 |
CVE-2015-2808 |
310 |
|
|
2015-03-31 |
2018-01-18 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue. |
5 |
CVE-2014-1870 |
|
|
|
2014-02-06 |
2014-02-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Opera before 19 on Mac OS X allows user-assisted remote attackers to spoof the address bar via vectors involving a drag-and-drop operation. |
6 |
CVE-2014-0815 |
200 |
|
+Info |
2014-02-06 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
The intent: URL implementation in Opera before 18 on Android allows attackers to read local files by leveraging an interaction error, as demonstrated by reading stored cookies. |
7 |
CVE-2013-4705 |
79 |
|
XSS |
2013-09-13 |
2013-09-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in Opera before 15.00 allows remote attackers to inject arbitrary web script or HTML by leveraging UTF-8 encoding. |
8 |
CVE-2013-2566 |
310 |
|
|
2013-03-15 |
2018-01-18 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext. |
9 |
CVE-2013-1618 |
310 |
|
|
2013-02-08 |
2013-02-11 |
4.0 |
None |
Remote |
High |
Not required |
Partial |
Partial |
None |
The TLS implementation in Opera before 12.13 does not properly consider timing side-channel attacks on a MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. |
10 |
CVE-2012-6472 |
264 |
|
+Priv +Info |
2013-01-02 |
2013-01-02 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
Opera before 12.12 on UNIX uses weak permissions for the profile directory, which allows local users to obtain sensitive information by reading a (1) cache file, (2) password file, or (3) configuration file, or (4) possibly gain privileges by modifying or overwriting a configuration file. |
11 |
CVE-2012-6467 |
|
|
|
2013-01-02 |
2015-09-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Opera before 12.10 follows Internet shortcuts that are referenced by a (1) IMG element or (2) other inline element, which makes it easier for remote attackers to conduct phishing attacks via a crafted web site, as exploited in the wild in November 2012. |
12 |
CVE-2012-6464 |
79 |
|
XSS |
2013-01-02 |
2013-01-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in Opera before 12.10 allows remote attackers to inject arbitrary web script or HTML via crafted JavaScript code that overrides methods of unspecified native objects in documents that have different origins. |
13 |
CVE-2012-6463 |
79 |
|
XSS |
2013-01-02 |
2013-01-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in Opera before 12.10 allows remote attackers to inject arbitrary web script or HTML via vectors involving an unspecified sequence of loading of documents and loading of data: URLs. |
14 |
CVE-2012-5180 |
200 |
|
+Info |
2012-12-26 |
2013-01-08 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
The Opera Mobile application before 12.1 and Opera Mini application before 7.5 for Android do not properly implement the WebView class, which allows attackers to obtain sensitive information via a crafted application. |
15 |
CVE-2012-4146 |
119 |
|
DoS Overflow |
2012-08-06 |
2012-08-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
Opera before 12.01 allows remote attackers to cause a denial of service (application crash) via a crafted web site, as demonstrated by the Lenovo "Shop now" page. |
16 |
CVE-2012-4144 |
79 |
|
XSS Bypass |
2012-08-06 |
2012-08-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Opera before 12.01 on Windows and UNIX, and before 11.66 and 12.x before 12.01 on Mac OS X, does not properly escape characters in DOM elements, which makes it easier for remote attackers to bypass cross-site scripting (XSS) protection mechanisms via a crafted HTML document. |
17 |
CVE-2012-4142 |
79 |
|
XSS |
2012-08-06 |
2012-08-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Opera before 12.01 on Windows and UNIX, and before 11.66 and 12.x before 12.01 on Mac OS X, ignores some characters in HTML documents in unspecified circumstances, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted document. |
18 |
CVE-2012-3566 |
|
|
DoS |
2012-06-14 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
Opera before 12.00 Beta allows user-assisted remote attackers to cause a denial of service (application hang) via JavaScript code that changes a form before submission. |
19 |
CVE-2012-3562 |
|
|
DoS |
2012-06-14 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
Opera before 12.00 Beta allows user-assisted remote attackers to cause a denial of service (application crash) via a crafted web page that is not properly handled during a reload, as demonstrated by a "multiple origin camera test" page. |
20 |
CVE-2012-3560 |
264 |
|
|
2012-06-14 |
2012-06-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Opera before 11.65 does not ensure that the address field corresponds to the displayed web page during blocked navigation, which makes it easier for remote attackers to conduct spoofing attacks by detecting and preventing attempts to load a different web page. |
21 |
CVE-2012-1931 |
264 |
|
|
2012-03-27 |
2018-01-04 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
Opera before 11.62 on UNIX, when used in conjunction with an unspecified printing application, allows local users to overwrite arbitrary files via a symlink attack on a temporary file during printing. |
22 |
CVE-2012-1930 |
264 |
|
+Info |
2012-03-27 |
2018-01-04 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
Opera before 11.62 on UNIX uses world-readable permissions for temporary files during printing, which allows local users to obtain sensitive information by reading these files. |
23 |
CVE-2011-3389 |
20 |
|
|
2011-09-06 |
2018-10-12 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack. |
24 |
CVE-2011-3388 |
200 |
|
+Info |
2011-09-06 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Opera before 11.51 allows remote attackers to cause an insecure site to appear secure or trusted via unspecified actions related to Extended Validation and loading content from trusted sources in an unspecified sequence that causes the address field and page information dialog to contain security information based on the trusted site, instead of the insecure site. |
25 |
CVE-2011-2630 |
20 |
|
DoS |
2011-07-01 |
2011-07-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
Opera before 11.11 allows user-assisted remote attackers to cause a denial of service (application crash) via a crafted web page that is not properly handled during a reload occurring after the opening of a popup of the Easy Sticky Note extension. |
26 |
CVE-2011-2624 |
399 |
|
DoS |
2011-07-01 |
2011-07-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
Opera before 11.50 allows user-assisted remote attackers to cause a denial of service (application hang) via a large table, which is not properly handled during a print preview. |
27 |
CVE-2011-2611 |
|
|
DoS |
2011-07-01 |
2011-07-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
Unspecified vulnerability in the printing functionality in Opera before 11.50 allows user-assisted remote attackers to cause a denial of service (application crash) via a crafted web page. |
28 |
CVE-2011-2609 |
79 |
|
XSS |
2011-07-01 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Opera before 11.50 does not properly restrict data: URIs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site. |
29 |
CVE-2011-1824 |
20 |
|
DoS Exec Code |
2011-05-10 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
The VEGAOpBitmap::AddLine function in Opera before 10.61 does not properly initialize memory during processing of the SIZE attribute of a SELECT element, which allows remote attackers to trigger an invalid memory write operation, and consequently cause a denial of service (application crash) or possibly execute arbitrary code, via a large integer attribute value. |
30 |
CVE-2011-1337 |
399 |
|
DoS |
2011-07-01 |
2017-08-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
Opera before 11.50 allows remote attackers to cause a denial of service (disk consumption) via invalid URLs that trigger creation of error pages. |
31 |
CVE-2011-0687 |
20 |
|
DoS |
2011-01-31 |
2017-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
Opera before 11.01 does not properly implement Wireless Application Protocol (WAP) dropdown lists, which allows user-assisted remote attackers to cause a denial of service (application crash) via a crafted WAP document. |
32 |
CVE-2011-0683 |
264 |
|
|
2011-01-31 |
2017-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Opera before 11.01 does not properly restrict the use of opera: URLs, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site. |
33 |
CVE-2011-0681 |
|
|
Bypass |
2011-01-31 |
2017-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
The Cascading Style Sheets (CSS) Extensions for XML implementation in Opera before 11.01 recognizes links to javascript: URLs in the -o-link property, which makes it easier for remote attackers to bypass CSS filtering via a crafted URL. |
34 |
CVE-2010-5068 |
200 |
|
+Info |
2011-12-07 |
2012-03-08 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
The Cascading Style Sheets (CSS) implementation in Opera 10.5 does not properly handle the :visited pseudo-class, which allows remote attackers to obtain sensitive information about visited web pages via a crafted HTML document, a related issue to CVE-2010-2264. |
35 |
CVE-2010-4050 |
119 |
|
DoS Overflow Mem. Corr. |
2010-10-21 |
2017-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
Opera before 10.63 allows remote attackers to cause a denial of service (memory corruption) by referencing an SVG document in an IMG element. |
36 |
CVE-2010-4049 |
20 |
|
DoS |
2010-10-21 |
2017-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
Opera before 10.63 allows remote attackers to cause a denial of service (application crash) via a Flash movie with a transparent Window Mode (aka wmode) property, which is not properly handled during navigation away from the containing HTML document. |
37 |
CVE-2010-4048 |
20 |
|
DoS |
2010-10-21 |
2017-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
Opera before 10.63 allows user-assisted remote web servers to cause a denial of service (application crash) by sending a redirect during the saving of a file. |
38 |
CVE-2010-4047 |
79 |
|
XSS |
2010-10-21 |
2017-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Opera before 10.63 does not properly select the security context of JavaScript code associated with an error page, which allows user-assisted remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site. |
39 |
CVE-2010-4046 |
200 |
|
+Info |
2010-10-21 |
2017-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
Opera before 10.63 does not properly verify the origin of video content, which allows remote attackers to obtain sensitive information by using a video stream as HTML5 canvas content. |
40 |
CVE-2010-4044 |
20 |
|
|
2010-10-21 |
2017-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Opera before 10.63 does not ensure that the portion of a URL shown in the Address Bar contains the beginning of the URL, which allows remote attackers to spoof URLs by changing a window's size. |
41 |
CVE-2010-4043 |
264 |
|
+Info |
2010-10-21 |
2017-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
Opera before 10.63 does not prevent interpretation of a cross-origin document as a CSS stylesheet when the document lacks a CSS token sequence, which allows remote attackers to obtain sensitive information via a crafted document. |
42 |
CVE-2010-3021 |
399 |
|
DoS |
2010-08-16 |
2017-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
Unspecified vulnerability in Opera before 10.61 allows remote attackers to cause a denial of service (CPU consumption and application hang) via an animated PNG image. |
43 |
CVE-2010-2665 |
79 |
|
XSS |
2010-07-08 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in Opera before 10.54 on Windows and Mac OS X, and before 10.11 on UNIX platforms, allows remote attackers to inject arbitrary web script or HTML via a data: URI, related to incorrect detection of the "opening site." |
44 |
CVE-2010-2664 |
|
|
DoS |
2010-07-08 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
Opera before 10.60 allows remote attackers to cause a denial of service (application hang) via certain HTML content that has an unclosed SPAN element with absolute positioning. |
45 |
CVE-2010-2663 |
|
|
DoS |
2010-07-08 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
Opera before 10.60 allows remote attackers to cause a denial of service (application hang) via an ended event handler that changes the SRC attribute of an AUDIO element. |
46 |
CVE-2010-2662 |
264 |
|
Bypass |
2010-07-08 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Opera before 10.60 allows remote attackers to bypass the popup blocker via a javascript: URL and a "fake click." |
47 |
CVE-2010-2661 |
264 |
|
+Info |
2010-07-08 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
Opera before 10.54 on Windows and Mac OS X, and before 10.60 on UNIX platforms, does not properly restrict access to the full pathname of a file selected for upload, which allows remote attackers to obtain potentially sensitive information via unspecified DOM manipulations. |
48 |
CVE-2010-2660 |
264 |
|
|
2010-07-08 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Opera before 10.54 on Windows and Mac OS X, and before 10.60 on UNIX platforms, does not properly restrict certain uses of homograph characters in domain names, which makes it easier for remote attackers to spoof IDN domains via unspecified choices of characters. |
49 |
CVE-2010-2659 |
200 |
|
+Info |
2010-07-08 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
Opera before 10.50 on Windows, before 10.52 on Mac OS X, and before 10.60 on UNIX platforms makes widget properties accessible to third-party domains, which allows remote attackers to obtain potentially sensitive information via a crafted web site. |
50 |
CVE-2010-2658 |
20 |
|
|
2010-07-08 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Opera before 10.60 does not properly restrict certain interaction between plug-ins, file inputs, and the clipboard, which allows user-assisted remote attackers to trigger the uploading of arbitrary files via a crafted web site. |