CVE-2020-6159 (GCVE-0-2020-6159)

Vulnerability from cvelistv5 – Published: 2020-12-23 15:08 – Updated: 2024-08-04 08:55
VLAI?
Summary
URLs using “javascript:” have the protocol removed when pasted into the address bar to protect users from cross-site scripting (XSS) attacks, but in certain circumstances this removal was not performed. This could allow users to be socially engineered to run an XSS attack against themselves. This vulnerability affects Opera for Android versions below 61.0.3076.56532.
Severity ?
No CVSS data available.
CWE
  • CWE-79 - Cross-site Scripting (CWE-79)
Assigner
References
Impacted products
Vendor Product Version
n/a Opera for Android Affected: Below 61.0.3076.56532
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T08:55:21.884Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://security.opera.com/cross-site-scripting-in-ofa-opera-security-advisories/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Opera for Android",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Below 61.0.3076.56532"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "URLs using \u201cjavascript:\u201d have the protocol removed when pasted into the address bar to protect users from cross-site scripting (XSS) attacks, but in certain circumstances this removal was not performed. This could allow users to be socially engineered to run an XSS attack against themselves. This vulnerability affects Opera for Android versions below 61.0.3076.56532."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Cross-site Scripting (CWE-79)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-23T15:08:58.000Z",
        "orgId": "9aee7086-24f5-48b4-9428-908ac90b8b54",
        "shortName": "Opera"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://security.opera.com/cross-site-scripting-in-ofa-opera-security-advisories/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@opera.com",
          "ID": "CVE-2020-6159",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Opera for Android",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Below 61.0.3076.56532"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "URLs using \u201cjavascript:\u201d have the protocol removed when pasted into the address bar to protect users from cross-site scripting (XSS) attacks, but in certain circumstances this removal was not performed. This could allow users to be socially engineered to run an XSS attack against themselves. This vulnerability affects Opera for Android versions below 61.0.3076.56532."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Cross-site Scripting (CWE-79)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://security.opera.com/cross-site-scripting-in-ofa-opera-security-advisories/",
              "refsource": "MISC",
              "url": "https://security.opera.com/cross-site-scripting-in-ofa-opera-security-advisories/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9aee7086-24f5-48b4-9428-908ac90b8b54",
    "assignerShortName": "Opera",
    "cveId": "CVE-2020-6159",
    "datePublished": "2020-12-23T15:08:58.000Z",
    "dateReserved": "2020-01-07T00:00:00.000Z",
    "dateUpdated": "2024-08-04T08:55:21.884Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.