CVE-2018-16135
https://notcve.org/view.php?id=CVE-2018-16135
The Opera Mini application 47.1.2249.129326 for Android allows remote attackers to spoof the Location Permission dialog via a crafted web site. La aplicación Opera Mini 47.1.2249.129326 para Android permite a atacantes remotos falsificar el cuadro de diálogo Permiso de ubicación a través de un sitio web manipulado. • https://payatu.com/advisory/opera-mini-location-permission-spoof- •
CVE-2021-23253
https://notcve.org/view.php?id=CVE-2021-23253
Opera Mini for Android below 53.1 displays URL left-aligned in the address field. This allows a malicious attacker to craft a URL with a long domain name, e.g. www.safe.opera.com.attacker.com. With the URL being left-aligned, the user will only see the front part (e.g. www.safe.opera.com…) The exact amount depends on the phone screen size but the attacker can craft a number of different domains and target different phones. Starting with version 53.1 Opera Mini displays long URLs with the top-level domain label aligned to the right of the address field which mitigates the issue. Opera Mini para Android versiones por debajo de 53.1, muestra la URL alineada a la izquierda en el campo de dirección. • https://security.opera.com/address-bar-spoofing-in-opera-mini-opera-security-advisories •
CVE-2020-6159
https://notcve.org/view.php?id=CVE-2020-6159
URLs using “javascript:” have the protocol removed when pasted into the address bar to protect users from cross-site scripting (XSS) attacks, but in certain circumstances this removal was not performed. This could allow users to be socially engineered to run an XSS attack against themselves. This vulnerability affects Opera for Android versions below 61.0.3076.56532. Las URL que usan "javascript:" tienen el protocolo removido cuando se pegaban en la barra de direcciones para proteger a usuarios de ataques de tipo cross-site scripting (XSS), pero en determinadas circunstancias esta eliminación no fue llevada a cabo. Esto podría permitir a usuarios hacer ingeniería social para ejecutar un ataque de tipo XSS contra ellos mismos. • https://security.opera.com/cross-site-scripting-in-ofa-opera-security-advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-6157
https://notcve.org/view.php?id=CVE-2020-6157
Opera Touch for iOS before version 2.4.5 is vulnerable to an address bar spoofing attack. The vulnerability allows a malicious page to trick the browser into showing an address of a different page. This may allow the malicious page to impersonate another page and trick a user into providing sensitive data. Opera Touch para iOS versiones anteriores a 2.4.5, es vulnerable a un ataque de suplantación de la barra de direcciones. La vulnerabilidad permite a una página maliciosa engañar al navegador para que muestre la dirección de una página diferente. • https://security.opera.com/address-bar-spoofing-in-opera-touch-for-ios-opera-security-advisories •
CVE-2019-12278
https://notcve.org/view.php?id=CVE-2019-12278
Opera through 53 on Android allows Address Bar Spoofing. Characters from several languages are displayed in Right-to-Left order, due to mishandling of several Unicode characters. The rendering mechanism, in conjunction with the "first strong character" concept, may improperly operate on a numerical IP address or an alphabetic string, leading to a spoofed URL. Opera versiones hasta 53 en Android, permite una Suplantación de la Barra de Direcciones. Los caracteres de varios idiomas son desplegados en orden de derecha a izquierda, debido al manejo inapropiado de varios caracteres Unicode. • https://help.opera.com/en/latest/security-and-privacy https://medium.com/bugbountywriteup/opera-android-address-bar-spoofing-cve-2019-12278-9ffcfd6c508c •