CVE-2009-2351

Opera 9.52 and earlier does not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header, a related issue to CVE-2009-1312. NOTE: it was later reported that 10.00 Beta 3 Build 1699 is also affected.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 52%
VendorProductVersion
operaopera_browser
𝑥
≤ 9.52
operaopera_browser
7.0
operaopera_browser
7.23
operaopera_browser
7.53
operaopera_browser
7.54
operaopera_browser
7.60
operaopera_browser
8.0
operaopera_browser
8.01
operaopera_browser
8.02
operaopera_browser
8.50
operaopera_browser
8.51
operaopera_browser
8.52
operaopera_browser
8.53
operaopera_browser
8.54
operaopera_browser
9.0
operaopera_browser
9.01
operaopera_browser
9.02
operaopera_browser
9.10
operaopera_browser
9.12
operaopera_browser
9.20
operaopera_browser
9.21
operaopera_browser
9.22
operaopera_browser
9.51
operaopera_browser
10.00:beta_3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://websecurity.com.ua/3275/
http://websecurity.com.ua/3386/
http://www.securityfocus.com/archive/1/504718/100/0/threaded
http://www.securityfocus.com/archive/1/504723/100/0/threaded
http://www.securityfocus.com/bid/35571
http://websecurity.com.ua/3275/
http://websecurity.com.ua/3386/
http://www.securityfocus.com/archive/1/504718/100/0/threaded
http://www.securityfocus.com/archive/1/504723/100/0/threaded
http://www.securityfocus.com/bid/35571