Opera < 11.60 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 6105

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

The remote host is running the Opera web browser.

Versions of Opera earlier than 11.60 are potentially affected by multiple vulnerabilities :

- Top level domain separation rules are not honored for two-letter top level domains, e.g., .us or .uk and some three-letter top-level domains. This error can allow sites to set the scripting context to the top level domain. Further, this can allow sites to set and read cookies from other sites whose scripting context is set to the same top level domain. (Issue 1003)

- An error exists in the SSLv3 and TLSv1.3 specification that can allow the BEAST attack. (Issue 1004)

- An error exists in the implementation of the JavaScript 'in' operator that can allow sites to verify the existence of variables of sites in other domains. (Issue 1005)

- An unspecified, moderately sever issue exists. Details are to be disclosed by the vendor at a later date.

Solution

Upgrade to Opera 11.60 or later.

See Also

http://netifera.com/research

http://www.opera.com/support/kb/view/1003

http://www.opera.com/support/kb/view/1004

http://www.opera.com/support/kb/view/1005

http://www.opera.com/docs/changelogs/windows/1160

Plugin Details

Severity: High

ID: 6105

File Name: 6105.prm

Family: Web Clients

Published: 2011/12/07

Modified: 2017/02/02

Dependencies: 1735, 8314

Nessus ID: 57039

Risk Information

Risk Factor: High

CVSSv2

Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSSv3

Base Score: 8.1

Temporal Score: 7.5

Vector: CVSS3#AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:opera:opera_browser

Patch Publication Date: 2011/12/06

Vulnerability Publication Date: 2011/08/31

Reference Information

CVE: CVE-2011-3389, CVE-2011-4010, CVE-2011-4681, CVE-2011-4682, CVE-2011-4683, CVE-2011-4686, CVE-2011-4687

BID: 49778, 50914, 50915, 50916, 51027, 55345

OSVDB: 74829, 77550, 77551, 77552, 77614, 77615, 77616, 77617

IAVB: 2012-B-0006