KLA11714 Multiple vulnerabilities in Opera

Multiple vulnerabilities were found in Opera Malicious users can exploit these vulnerabilities to execute arbitrary code, spoof user interface, cause denial of service.

Below is a complete list of vulnerabilities:

1. Cross-origin data leak vulnerability can be exploited to arbitrary code execution;
2. Security UI vulnerability in full screen mode can be exploited remotely via a crafted web page to perform domain spoofing;
3. URL spoof vulnerability in navigation can be exploited to arbitrary code execution;
4. Out-of-bounds read vulnerability in PDFium can be exploited to arbitrary code execution;
5. Unspecified vulnerability in libexpat can be exploited remotely via specially designed XML-file to obtain sensitive information;
6. File download protection bypass vulnerability can be exploited to arbitrary code execution;
7. Privilege elevation vulnerability in Installer can be exploited to arbitrary code execution;
8. Use-after-free vulnerability in media can be exploited to arbitrary code execution;
9. IDN spoof vulnerability can be exploited to arbitrary code execution;
10. CSP bypass vulnerability can be exploited to arbitrary code execution;
11. CSS injection vulnerability can be exploited to arbitrary code execution;
12. Cross-context information leak vulnerability can be exploited to arbitrary code execution;
13. Extension permission bypass vulnerability can be exploited to arbitrary code execution;
14. Service worker state error vulnerability can be exploited to arbitrary code execution;
15. Address bar spoofing vulnerability can be exploited to arbitrary code execution;
16. Use after free vulnerability in content delivery manager can be exploited remotely via a crafted web page to potentially cause denial of service;
17. File storage disclosure vulnerability can be exploited to arbitrary code execution;
18. URL bar spoofing vulnerability can be exploited to arbitrary code execution;
19. Buffer overrun vulnerability in Blink can be exploited to arbitrary code execution;
20. HTTP authentication spoof vulnerability can be exploited to arbitrary code execution;

Original advisories

Changelog for Opera 65

Stable Channel Update for Desktop

Exploitation

Malware exists for this vulnerability. Usually such malware is classified as Exploit. More details.

Related products

Opera

CVE list

CVE-2019-13699 high

CVE-2019-13700 high

CVE-2019-13701 warning

CVE-2019-13702 high

CVE-2019-13703 warning

CVE-2019-13704 warning

CVE-2019-13705 warning

CVE-2019-13706 high

CVE-2019-13707 warning

CVE-2019-13708 warning

CVE-2019-13709 warning

CVE-2019-13710 warning

CVE-2019-13711 warning

CVE-2019-15903 warning

CVE-2019-13713 warning

CVE-2019-13714 warning

CVE-2019-13715 warning

CVE-2019-13716 warning

CVE-2019-13717 warning

CVE-2019-13718 warning

CVE-2019-13719 warning

CVE-2019-13765 warning

Solution

Update to the latest version

Download Opera

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

• SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

• SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

• Opera erlier than 65.0.3467.24