CVE-2009-3013
Description
Opera 9.52 and earlier, and 10.00 Beta 3 Build 1699, does not properly block data: URIs in Location headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Location header that contains JavaScript sequences in a data:text/html URI or (2) entering a data:text/html URI with JavaScript sequences when specifying the content of a Location header. NOTE: the JavaScript executes outside of the context of the HTTP site.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Opera 9.52 and earlier fails to block data: URIs in Location headers, enabling XSS via JavaScript execution outside the context of the HTTP site.
Vulnerability
Opera versions 9.52 and earlier, as well as 10.00 Beta 3 Build 1699, do not properly block data: URIs in Location headers within HTTP responses. This allows an attacker to inject a Location header containing JavaScript sequences in a data:text/html URI, or to persuade a user to manually enter such a URI [1][2].
Exploitation
The attacker needs to control or manipulate an HTTP response that includes a Location header. The attack can occur either via a server-side redirector that reflects attacker-controlled input into the Location header, or by tricking the user into navigating to a crafted data:text/html URI containing JavaScript. The attacker does not require prior authentication to the target site; the vector relies on the browser’s failure to block the data: scheme in Location headers [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript code in the context of the data: URI. Notably, the JavaScript executes outside the context of the original HTTP site, so cookies and other site-specific data from the target domain are not directly accessible. However, the attacker can still perform phishing attacks, inject arbitrary content into the browser window, or conduct other client-side attacks that do not require same-origin access [1].
Mitigation
Opera Software released a fix in Opera 9.63 and later versions. Users should upgrade to a supported version (9.63 or later) to remediate the issue. As of the publication date, no workaround other than upgrading is available. The issue is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1][2].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
25cpe:2.3:a:opera:opera_browser:*:*:*:*:*:*:*:*+ 23 more
- cpe:2.3:a:opera:opera_browser:*:*:*:*:*:*:*:*range: <=9.52
- cpe:2.3:a:opera:opera_browser:10.00:beta_3:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:7.23:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:7.53:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:7.54:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:7.60:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:8.01:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:8.02:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:8.50:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:8.51:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:8.52:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:8.53:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:8.54:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:9.01:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:9.02:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:9.10:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:9.12:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:9.20:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:9.21:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:9.22:*:*:*:*:*:*:*
- cpe:2.3:a:opera:opera_browser:9.51:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.