391 matches found
Element HTML content can be incorrectly returned without escaping, bypassing some HTML sanitizers – Opera Security Advisories
When sites accept HTML from untrusted users, and use that HTML as page content, they typically sanitize the untrusted HTML to ensure that it does not contain any harmful content, such as malicious scripts. In some cases, this sanitization may be performed by writing and reading the contents of DO...
Plug-in content may monitor keystrokes on unrelated pages – Opera Security Advisories
Plug-ins may use operating system features to detect key presses when the plug-in is focused. If the plug-in does not detect its own focused state correctly, it can detect key presses when other pages are focused, allowing the plug-in content to detect key presses intended for pages from other...
Hidden keyboard navigation can allow cross site scripting or code execution – Opera Security Advisories
When a user is interacting with a window, that window should be visible to the user, to ensure that the user realizes it is there. If a page is displayed in a small enough window, the user may not realize it is being displayed, and if the right keyboard sequence is carefully followed, they can en...
Carefully timed reloads and redirects can spoof the address field – Opera Security Advisories
The address field should always show the address of the page that is being displayed. In certain cases, if a target site responds slowly, reloading an attacking page and redirecting to the target page can cause the address field to show the target site’s address, while the attacking site is still...
Web page content may overlap the address field – Opera Security Advisories
The browser’s user interface contains several pieces of security information. To preserve this information correctly, web page content should not be able to display over the user interface. Certain styling can cause Opera to allow the content to be displayed outside the page, over the address...
Changing from a single-user to a multi-user installation on Windows (rev2) – Opera Security Advisories
Changing from a single-user to a multi-user installation on Windows rev2 – Opera Security Advisories OPCOM Team | January 5, 2012 If you received the error message “There was a problem initializing Opera Mail. Engine Init Failed”, it may mean that you have a stand-alone USB installation of Opera...
Data URIs may be used to initiate cross site scripting against unrelated sites – Opera Security Advisories
Data URIs are supposed to inherit the security context from the page that created them. In some cases, Opera does not enforce this correctly, and will allow unrelated data URIs to interact both with each other, and their source pages. This can be used to enable cross site scripting against the...
Reloads and redirects can allow spoofing and cross site scripting – Opera Security Advisories
Reloads and redirects can allow spoofing and cross site scripting – Opera Security Advisories OPCOM Team | October 6, 2010 Severity Critical Description Scripts on a page are supposed to be restricted so that they can only interact with other pages from the same domain and security context...
Unrestricted File I/O can be used by Widgets to execute arbitrary code – Opera Security Advisories
Unrestricted File I/O can be used by Widgets to execute arbitrary code – Opera Security Advisories OPCOM Team | June 29, 2010 Severity Highly severe Description Widgets may use File I/O to create, read, modify, or delete files, with the user’s permission. When using this functionality, Opera shou...
HTTP Content-Length header can be used to execute arbitrary code – Opera Security Advisories
HTTP Content-Length header can be used to execute arbitrary code – Opera Security Advisories OPCOM Team | March 17, 2010 Affected versions This vulnerability affects Opera for Microsoft Windows. Severity Highly Severe Description Large values in the HTTP Content-Length header can cause Opera to...
Cross-domain data theft with CSS load – Opera Security Advisories
Cross-domain data theft with CSS load – Opera Security Advisories OPCOM Team | January 11, 2010 Summary CSS can be loaded cross-domain, and in some cases it is be possible to read the data pointed to, leading to the possibility of cross-domain data theft. Severity Moderate Opera’s response Opera...
Web fonts can be used to spoof the page address – Opera Security Advisories
In some cases, a Web font intended to be used for page content could be incorrectly used by Opera to render parts of the user interface, including the address field. This can be used by a malicious site to display a false domain name in the address field...
Random number generator and input name linebreaks can be used to send custom data to other sites – Opera Security Advisories
Random number generator and input name linebreaks can be used to send custom data to other sites – Opera Security Advisories OPCOM Team | June 10, 2009 Severity Moderately severe Problem description Input names can contain line breaks when data is sent using POST. Suitable use of the random numbe...
Specially crafted JPEG images can be used to execute arbitrary code – Opera Security Advisories
Specially crafted JPEG images can be used to execute arbitrary code – Opera Security Advisories OPCOM Team | February 25, 2009 Severity Extremely Severe Problem Description Specially crafted JPEG images can cause Opera to corrupt memory and crash. Successful exploitation can lead to execution of...
Feed preview can reveal contents of unrelated news feeds – Opera Security Advisories
Feed preview can reveal contents of unrelated news feeds – Opera Security Advisories OPCOM Team | December 16, 2008 Severity Highly Severe Platforms All desktop versions Problem Description When Opera is previewing a news feed, some scripts are not correctly blocked. These scripts are able to...
Feed subscription can cause the wrong page address to be displayed – Opera Security Advisories
Feed subscription can cause the wrong page address to be displayed – Opera Security Advisories OPCOM Team | December 16, 2008 Severity Not Severe Problem Description It has been reported that when a user subscribes to a news feed using the feed subscription button, the page address can be changed...
History Search can reveal browsing history – Opera Security Advisories
History Search can reveal browsing history – Opera Security Advisories OPCOM Team | December 16, 2008 Severity Extremely Severe Platforms All desktop versions Problem Description Certain constructs are not escaped correctly by Opera’s History Search results. These can be used to inject scripts in...
Representation of DOM attribute values could allow cross-site scripting – Opera Security Advisories
Representation of DOM attribute values could allow cross-site scripting – Opera Security Advisories OPCOM Team | December 16, 2008 Severity Moderately Severe Problem Description When XML is imported into a document, its attribute values are not correctly presented to the DOM. This can allow their...
Opera security upgrade for Linux, Solaris and FreeBSD – Opera Security Advisories
Opera security upgrade for Linux, Solaris and FreeBSD – Opera Security Advisories OPCOM Team | December 16, 2008 Summary Opera 9.20 has a highly recommended security upgrade for users of the Adobe Flash Player on Linux, Solaris and FreeBSD Severity Highly critical Problem description A security...
Malformed bitmaps can reveal old data from random places in memory – Opera Security Advisories
Malformed bitmaps can reveal old data from random places in memory – Opera Security Advisories OPCOM Team | December 16, 2008 Severity Moderately Severe Problem Description Specially malformed bitmap images can cause Opera to render the image using a palette made up from uninitialized memory. Usi...
Script injection in feed preview can reveal contents of unrelated news feeds – Opera Security Advisories
Script injection in feed preview can reveal contents of unrelated news feeds – Opera Security Advisories OPCOM Team | December 15, 2008 Severity Highly Severe Problem Description When Opera is previewing a news feed, some scripted URLs are not correctly blocked. These can execute scripts which ar...
Pages held in frames are able to change the location of pages in unrelated frames on the parent page – Opera Security Advisories
Pages held in frames are able to change the location of pages in unrelated frames on the parent page – Opera Security Advisories OPCOM Team | June 11, 2008 Severity: Less Severe Problem Description: Pages from different sources held on the same parent page should not be able to modify the locatio...
Certain characters can obscure the page address – Opera Security Advisories
Certain characters can obscure the page address – Opera Security Advisories OPCOM Team | June 9, 2008 Severity: Less Severe Problem Description When a page address contains certain characters, they can cause the page address text to be misplaced. In some cases, this could make characters be...
Very large link addresses can cause Opera to crash – Opera Security Advisories
Very large link addresses can cause Opera to crash – Opera Security Advisories OPCOM Team | October 17, 2006 Summary: Very large link addresses can cause Opera to crash. Severity: Moderate Problem description An extremely long link address can cause Opera to crash.A specially crafted long link...
A forged SSL server certificate can be accepted by Opera as a valid certificate – Opera Security Advisories
A forged SSL server certificate can be accepted by Opera as a valid certificate – Opera Security Advisories OPCOM Team | September 21, 2006 Summary: A forged SSL server certificate can be accepted by Opera as a valid certificate. Severity: Highly critical Vulnerable versions: Opera for desktop...
Malicious setRequestHeader cross-site vulnerability – Opera Security Advisories
Malicious setRequestHeader cross-site vulnerability – Opera Security Advisories OPCOM Team | September 29, 2005 Summary A malicious setRequestHeader can be used to stealuser credentials and inject cross-site JavaScript. Severity: high Opera’s response Since version 8.02 of Opera, double newlineso...
How does Opera make money? An explainer on monetization
Privacy How does Opera make money? An explainer on monetization Share June 22nd, 2026 Hi, Opera users! As many of you know, our products are free to download and use – so one of the most common questions we get from users is, “how does Opera make money?” It’s a fair question, and the answer is...
Opera for Android has received Google Play’s Independent Security Review badge. Here’s what this means for your security
Security Opera for Android has received Google Play’s Independent Security Review badge. Here’s what this means for your security Share January 30th, 2025 Hey Opera users! You might have seen that Opera for Android has achieved a new security-focused milestone: If you search for Opera for Android...
Opera’s response to misleading headlines regarding the “MyFlaw” security vulnerability
Security Opera’s response to misleading headlines regarding the “MyFlaw” security vulnerability Share January 17th, 2024 We have noticed some misleading media articles regarding the so-called “MyFlaw” vulnerability that allegedly puts Opera users at risk. This is NOT true. The coverage presents...
Are you still using public Wi-Fi without a VPN?
Security Are you still using public Wi-Fi without a VPN? Share October 14th, 2022 Hi readers, October is Cybersecurity Awareness Month and the focus is on you, the user. All the privacy and security features in the world are worth nothing if we ourselves don’t apply some best practices to our...
Update your browser regularly
Security Update your browser regularly Share February 12th, 2021 Mallory tries to hack an OS in order to spy on Alice. TL;DR: skip to the conclusions to see what Alice learned. Update your browser regularly Every once in a while you’re asked to update the software on your computer, or just told...
How private is a private window?
Privacy How private is a private window? Share October 15th, 2020 Alice and Bob find themselves in a shared living-space, where long-held secrets are at risk of being revealed. TL;DR: skip to the conclusions to see what Alice learned. The Privacy Problem Alice and Bob recently decided to take the...
Bypass a restriction in OfA 54 – Opera Security Advisories
Opera for Android before 54.0.2669.49432 is vulnerable to a sandboxed cross-origin iframe bypass attack. By using a service working inside a sandboxed iframe it is possible to bypass the normal sandboxing attributes. This allows an attacker to make forced redirections without any user interaction...
Opera becomes part of the CNA program
News Opera becomes part of the CNA program Share December 13th, 2019 Usually, Friday the 13th is considered to be an unlucky day. However, this is not the case for Opera, as we have great news, especially for security researchers and all security-minded Opera fans. We are proud to announce that...
Opera asks for my keychain password on macOS – what do I do? Opera 53 has a new signing certificate
Security Opera asks for my keychain password on macOS – what do I do? Opera 53 has a new signing certificate Share May 30th, 2018 Hello, We would like to let you know that we have updated our software signing certificate from Opera Software ASA to Opera Software AS. This is why your macOS is aski...
Upcoming update with IDN homograph phishing fix
Security Upcoming update with IDN homograph phishing fix Share April 21st, 2017 Domains are an integral part of the internet. Similar to how people write different languages using different characters or scripts, domain names can be composed of various scripts in whole or in part, and are called...
DLL hijacking and the Opera browser
Security DLL hijacking and the Opera browser Share March 10th, 2017 Recently, a collection of documents was released online, which was claimed to have originated with a major World power. The documents listed hacking vectors that could be used to inject code into major operating systems and...
Thanks to the researchers 2017
Research Thanks to the researchers 2017 Share March 3rd, 2017 We would like to thank the researchers who have offered us their assistance throughout the year, to help enhance the security of our websites. Special mention goes to those who discover and report security issues: Johnny Nipper Mehmet...
Legacy Opera Presto source code appearance in online sharing sites
Security Legacy Opera Presto source code appearance in online sharing sites Share January 18th, 2017 Opera recently became aware that source code from our legacy browser engine, Presto, has appeared in some online code and file sharing sites. This code is the property of Opera Software and has be...
Opera server breach incident
News Opera server breach incident Share August 26th, 2016 Earlier this week, we detected signs of an attack where access was gained to the Opera sync system. This attack was quickly blocked. Our investigations are ongoing, but we believe some data, including some of our sync users’ passwords and...
Thanks to the researchers 2016
Research Thanks to the researchers 2016 Share April 19th, 2016 A number of researchers and website testers have offered their assistance throughout the year to help us tighten the security of our many websites. Thanks to all! Special mention goes to those who discover and report security issues:...
Developer 32: Protecting against yourself
Security Developer 32: Protecting against yourself Share June 18th, 2015 Remember the SuperFish scandal? A third party application installed a Certificate Authority on PCs, and then hijacked all secure connections by serving browsers certificates from this local certificate authority. The SuperFi...
Dealing with FREAK and SuperFish
Security Dealing with FREAK and SuperFish Share March 10th, 2015 The FREAK TLS attack Following the trend of memorable names for TLS attacks, FREAK was recently announced. This exploits a bug in some TLS libraries, combined with the support of ancient weak ciphers, to enable a MitM to force...
Security changes in Opera 25; the poodle attacks
Security Security changes in Opera 25; the poodle attacks Share October 15th, 2014 So the last weeks have been rather hectic behind the scenes in the browser security world, when Google security group found a new way to exploit a rather well known design weakness in SSLv3 published in the paper...
Thanks to the researchers 2014
Research Thanks to the researchers 2014 Share January 31st, 2014 Each year, a number of researchers offer their assistance to help us tighten the security of our wide array of websites. We would like to take this opportunity to thank the researchers and testers of 2014 for their assistance in...
Malformed GIF images could allow execution of arbitrary code – Opera Security Advisories
When loading GIF images into memory, Opera should allocate the correct amount of memory to store that image. Specially crafted image files can cause Opera to allocate the wrong amount of memory. Subsequent data may then overwrite unrelated memory with attacker-controlled data. This can lead to a...
Truncated dialogs may be used to trick users – Opera Security Advisories
When an important dialog is being displayed, such as a download dialog, the entire dialog should be visible, so that the user can clearly see what the dialog’s buttons will do. In some cases, specific user interactions can cause Opera not to enforce this correctly, allowing the window to become...
Certain URL constructs can allow arbitrary code execution – Opera Security Advisories
Certain page address URL constructs can cause Opera to allocate the wrong amount of memory for storing the address. When it then attempts to store the address, it will overwrite unrelated memory with attacker-controlled data. This can lead to a crash, which may also execute that data as code...
Small windows can be used in several ways to trick users into executing downloads – Opera Security Advisories
When the download dialog is displayed, it should always be visible to the user, to ensure that the user realizes it is there. If the dialog is displayed in a small enough window, the user may not realize it is being displayed, and if the right keyboard sequence is carefully followed, they can end...
Large form inputs can allow execution of arbitrary code – Opera Security Advisories
Large form inputs can allow execution of arbitrary code – Opera Security Advisories OPCOM Team | January 25, 2011 Severity Critical Description When certain large form inputs appear on a web page, they can cause Opera to crash. In some cases, the crash can lead to memory corruption, which could b...