Details of VAR-201208-0202

ID

VAR-201208-0202

CVE

CVE-2012-4142

TITLE

Opera Web Browser HTML Injection Vulnerability

Trust: 0.9

sources: BID: 54779 // CNNVD: CNNVD-201207-654

DESCRIPTION

Opera before 12.01 on Windows and UNIX, and before 11.66 and 12.x before 12.01 on Mac OS X, ignores some characters in HTML documents in unspecified circumstances, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted document. Opera Web Browser is prone to a HTML-injection vulnerability because it fails to properly sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. Opera Web Browser versions prior to 12.01 and 11.66 are vulnerable. It supports multi-window browsing and a customizable user interface. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201209-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Opera: Multiple vulnerabilities Date: September 25, 2012 Bugs: #429478, #434584 ID: 201209-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Opera, the worst of which may allow remote execution of arbitrary code. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-client/opera < 12.01.1532 >= 12.01.1532 Description =========== Multiple vulnerabilities have been discovered in Opera. Please review the CVE identifiers and Opera Release Notes referenced below for details. Impact ====== A remote attacker could entice a user to open a specially crafted web page using Opera, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All Opera users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/opera-12.01.1532" References ========== [ 1 ] CVE-2012-4010 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4010 [ 2 ] CVE-2012-4142 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4142 [ 3 ] CVE-2012-4143 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4143 [ 4 ] CVE-2012-4144 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4144 [ 5 ] CVE-2012-4145 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4145 [ 6 ] CVE-2012-4146 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4146 [ 7 ] Opera 12.01 for UNIX changelog http://www.opera.com/docs/changelogs/unix/1201/ Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201209-11.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Trust: 2.07

sources: NVD: CVE-2012-4142 // JVNDB: JVNDB-2012-003478 // BID: 54779 // VULHUB: VHN-57423 // PACKETSTORM: 116866

AFFECTED PRODUCTS

vendor:	opera	model:	browser	scope:	eq	version:	10.00	Trust: 1.6
vendor:	opera	model:	browser	scope:	eq	version:	12.00	Trust: 1.6
vendor:	opera	model:	browser	scope:	eq	version:	10.62	Trust: 1.6
vendor:	opera	model:	browser	scope:	eq	version:	10.60	Trust: 1.6
vendor:	opera	model:	browser	scope:	eq	version:	10.61	Trust: 1.6
vendor:	opera	model:	browser	scope:	eq	version:	10.63	Trust: 1.6
vendor:	opera	model:	browser	scope:	eq	version:	10.53	Trust: 1.6
vendor:	opera	model:	browser	scope:	eq	version:	10.54	Trust: 1.0
vendor:	opera	model:	browser	scope:	eq	version:	11.60	Trust: 1.0
vendor:	opera	model:	browser	scope:	eq	version:	10.50	Trust: 1.0
vendor:	opera	model:	browser	scope:	eq	version:	11.01	Trust: 1.0
vendor:	opera	model:	browser	scope:	eq	version:	11.00	Trust: 1.0
vendor:	opera	model:	browser	scope:	eq	version:	10.51	Trust: 1.0
vendor:	opera	model:	browser	scope:	eq	version:	11.51	Trust: 1.0
vendor:	opera	model:	browser	scope:	eq	version:	11.52	Trust: 1.0
vendor:	opera	model:	browser	scope:	eq	version:	11.11	Trust: 1.0
vendor:	opera	model:	browser	scope:	eq	version:	10.10	Trust: 1.0
vendor:	opera	model:	browser	scope:	eq	version:	10.01	Trust: 1.0
vendor:	opera	model:	browser	scope:	eq	version:	11.10	Trust: 1.0
vendor:	opera	model:	browser	scope:	lte	version:	12.00	Trust: 1.0
vendor:	opera	model:	browser	scope:	eq	version:	11.52.1100	Trust: 1.0
vendor:	opera	model:	browser	scope:	eq	version:	11.50	Trust: 1.0
vendor:	opera	model:	browser	scope:	eq	version:	11.61	Trust: 1.0
vendor:	opera	model:	browser	scope:	eq	version:	11.62	Trust: 1.0
vendor:	opera	model:	browser	scope:	lte	version:	11.65	Trust: 1.0
vendor:	opera	model:	browser	scope:	eq	version:	10.11	Trust: 1.0
vendor:	opera	model:	browser	scope:	eq	version:	11.64	Trust: 1.0
vendor:	opera	model:	browser	scope:	eq	version:	10.52	Trust: 1.0
vendor:	opera asa	model:	opera	scope:	lt	version:	12. x	Trust: 0.8
vendor:	opera asa	model:	opera	scope:	eq	version:	12.01	Trust: 0.8
vendor:	suse	model:	opensuse	scope:	eq	version:	12.1	Trust: 0.3
vendor:	suse	model:	opensuse	scope:	eq	version:	11.4	Trust: 0.3
vendor:	opera	model:	software opera web browser	scope:	eq	version:	11.64	Trust: 0.3
vendor:	opera	model:	software opera web browser	scope:	eq	version:	11.62	Trust: 0.3
vendor:	opera	model:	software opera web browser	scope:	eq	version:	11.61	Trust: 0.3
vendor:	opera	model:	software opera web browser	scope:	eq	version:	11.60	Trust: 0.3
vendor:	gentoo	model:	linux	scope:	-	version:	-	Trust: 0.3

sources: BID: 54779 // JVNDB: JVNDB-2012-003478 // CNNVD: CNNVD-201208-020 // NVD: CVE-2012-4142

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2012-4142
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2012-4142
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201208-020
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-57423
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2012-4142
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-57423
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-57423 // JVNDB: JVNDB-2012-003478 // CNNVD: CNNVD-201208-020 // NVD: CVE-2012-4142

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-57423 // JVNDB: JVNDB-2012-003478 // NVD: CVE-2012-4142

THREAT TYPE

remote

Trust: 1.3

sources: PACKETSTORM: 116866 // CNNVD: CNNVD-201207-654 // CNNVD: CNNVD-201208-020

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201208-020

CONFIGURATIONS

sources: JVNDB: JVNDB-2012-003478

PATCH

title:	Opera 12.01 for Windows changelog	url:	http://www.opera.com/docs/changelogs/windows/1201/	Trust: 0.8
title:	Opera 12.01 for UNIX changelog	url:	http://www.opera.com/docs/changelogs/unix/1201/	Trust: 0.8
title:	Opera 12.01 for Mac changelog	url:	http://www.opera.com/docs/changelogs/mac/1201/	Trust: 0.8
title:	Opera 11.66 for Mac changelog	url:	http://www.opera.com/docs/changelogs/mac/1166/	Trust: 0.8
title:	Advisory: Certain characters in HTML can incorrectly be ignored, which can facilitate XSS attacks	url:	http://www.opera.com/support/kb/view/1026/	Trust: 0.8

sources: JVNDB: JVNDB-2012-003478

EXTERNAL IDS

db:	NVD	id:	CVE-2012-4142	Trust: 2.9
db:	BID	id:	54779	Trust: 1.0
db:	JVNDB	id:	JVNDB-2012-003478	Trust: 0.8
db:	CNNVD	id:	CNNVD-201208-020	Trust: 0.7
db:	CNNVD	id:	CNNVD-201207-654	Trust: 0.6
db:	VULHUB	id:	VHN-57423	Trust: 0.1
db:	PACKETSTORM	id:	116866	Trust: 0.1

sources: VULHUB: VHN-57423 // BID: 54779 // JVNDB: JVNDB-2012-003478 // PACKETSTORM: 116866 // CNNVD: CNNVD-201207-654 // CNNVD: CNNVD-201208-020 // NVD: CVE-2012-4142

REFERENCES

url:	http://www.opera.com/docs/changelogs/unix/1201/	Trust: 1.8
url:	http://www.opera.com/docs/changelogs/mac/1166/	Trust: 1.7
url:	http://www.opera.com/docs/changelogs/mac/1201/	Trust: 1.7
url:	http://www.opera.com/docs/changelogs/windows/1201/	Trust: 1.7
url:	http://www.opera.com/support/kb/view/1026/	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-4142	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2012-4142	Trust: 0.8
url:	http://www.securityfocus.com/bid/54779	Trust: 0.6
url:	http://www.opera.com/	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2012-4143	Trust: 0.1
url:	http://creativecommons.org/licenses/by-sa/2.5	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-4146	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-4145	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-4144	Trust: 0.1
url:	http://security.gentoo.org/glsa/glsa-201209-11.xml	Trust: 0.1
url:	http://nvd.nist.gov/nvd.cfm?cvename=cve-2012-4142	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-4010	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-4142	Trust: 0.1
url:	http://security.gentoo.org/	Trust: 0.1
url:	http://nvd.nist.gov/nvd.cfm?cvename=cve-2012-4145	Trust: 0.1
url:	http://nvd.nist.gov/nvd.cfm?cvename=cve-2012-4010	Trust: 0.1
url:	http://nvd.nist.gov/nvd.cfm?cvename=cve-2012-4144	Trust: 0.1
url:	https://bugs.gentoo.org.	Trust: 0.1
url:	http://nvd.nist.gov/nvd.cfm?cvename=cve-2012-4143	Trust: 0.1
url:	http://nvd.nist.gov/nvd.cfm?cvename=cve-2012-4146	Trust: 0.1

sources: VULHUB: VHN-57423 // BID: 54779 // JVNDB: JVNDB-2012-003478 // PACKETSTORM: 116866 // CNNVD: CNNVD-201207-654 // CNNVD: CNNVD-201208-020 // NVD: CVE-2012-4142

CREDITS

Reported by vendor.

Trust: 0.3

sources: BID: 54779

SOURCES

db:	VULHUB	id:	VHN-57423
db:	BID	id:	54779
db:	JVNDB	id:	JVNDB-2012-003478
db:	PACKETSTORM	id:	116866
db:	CNNVD	id:	CNNVD-201207-654
db:	CNNVD	id:	CNNVD-201208-020
db:	NVD	id:	CVE-2012-4142

LAST UPDATE DATE

2024-11-23T21:55:56.501000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-57423	date:	2012-08-07T00:00:00
db:	BID	id:	54779	date:	2012-09-25T23:10:00
db:	JVNDB	id:	JVNDB-2012-003478	date:	2012-08-08T00:00:00
db:	CNNVD	id:	CNNVD-201207-654	date:	2012-08-06T00:00:00
db:	CNNVD	id:	CNNVD-201208-020	date:	2012-08-07T00:00:00
db:	NVD	id:	CVE-2012-4142	date:	2024-11-21T01:42:15.587

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-57423	date:	2012-08-06T00:00:00
db:	BID	id:	54779	date:	2012-08-02T00:00:00
db:	JVNDB	id:	JVNDB-2012-003478	date:	2012-08-08T00:00:00
db:	PACKETSTORM	id:	116866	date:	2012-09-26T02:47:06
db:	CNNVD	id:	CNNVD-201207-654	date:	2012-08-06T00:00:00
db:	CNNVD	id:	CNNVD-201208-020	date:	2012-08-07T00:00:00
db:	NVD	id:	CVE-2012-4142	date:	2012-08-06T16:55:06.977