Description
URLs using “javascript:” have the protocol removed when pasted into the address bar to protect users from cross-site scripting (XSS) attacks, but in certain circumstances this removal was not performed. This could allow users to be socially engineered to run an XSS attack against themselves. This vulnerability affects Opera for Android versions below 61.0.3076.56532.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_misc
https://security.opera.com/cross-site-scripting-in-ofa-opera-security-advisories/
Scores
CVSS v3
6.1
EPSS
0.0036
EPSS Percentile
58.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
opera/opera
< 61.0.3076.56532
Published
Dec 23, 2020
Tracked Since
Feb 18, 2026