CVE-2009-2351
Description
Opera 9.52 and earlier does not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header, a related issue to CVE-2009-1312. NOTE: it was later reported that 10.00 Beta 3 Build 1699 is also affected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Opera 9.52 and earlier (and 10.00 Beta 3 Build 1699) fails to block javascript: URIs in Refresh headers, allowing cross-site scripting attacks.
Vulnerability
Opera 9.52 and earlier versions, as well as 10.00 Beta 3 Build 1699, do not properly block javascript: URIs in Refresh headers of HTTP responses [1][2]. This allows a remote attacker to inject a Refresh header (e.g., via a vulnerable script) or specify its content, leading to cross-site scripting (XSS) attacks. The vulnerability is a variant of CVE-2009-1312.
Exploitation
An attacker needs to find a web application that reflects user input into a Refresh header or allows setting the Refresh header value. The attacker crafts a request that causes the server to respond with a Refresh: 0; URL=javascript:alert(document.cookie) header [2]. When the browser processes this header, it executes the JavaScript code in the context of the vulnerable site.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the security context of the vulnerable website. This can lead to cookie theft, session hijacking, phishing, or other malicious actions [1]. The attacker does not require any special privileges; the attack works on standard HTTP responses.
Mitigation
As of the publication date (2009-07-07), no official fix was available from Opera for the affected versions. Users should upgrade to a patched version if available; however, the references do not specify a fixed release. Blocking javascript: URIs in Refresh headers via a proxy or web application firewall may reduce risk. The issue was later addressed in subsequent Opera versions, but specifics are not provided in the cited references.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
25cpe:2.3:a:opera:opera_browser:*:*:*:*:*:*:*:*+ 23 more
- cpe:2.3:a:opera:opera_browser:*:*:*:*:*:*:*:*range: <=9.52
- cpe:2.3:a:opera:opera_browser:10.00:beta_3:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:7.23:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:7.53:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:7.54:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:7.60:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:8.01:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:8.02:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:8.50:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:8.51:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:8.52:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:8.53:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:8.54:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:9.01:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:9.02:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:9.10:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:9.12:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:9.20:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:9.21:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:9.22:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:9.51:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5News mentions
0No linked articles in our index yet.