Description
URLs using “javascript:” have the protocol removed when pasted into the address bar to protect users from cross-site scripting (XSS) attacks, but in certain circumstances this removal was not performed. This could allow users to be socially engineered to run an XSS attack against themselves. This vulnerability affects Opera for Android versions below 61.0.3076.56532.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_misc
https://security.opera.com/cross-site-scripting-in-ofa-opera-security-advisories/
Scores
CVSS v3
6.1
EPSS
0.0063
EPSS Percentile
46.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
opera/opera
< 61.0.3076.56532
Published
Dec 23, 2020
Tracked Since
Feb 18, 2026