Opera 17 (Android) intent: read local files

2014.02.09
Credit: jvndb
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2014-0815
CWE: CWE-200


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Opera browser for Android contains an issue in the handling of intent scheme URL's. Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVSS Severity (What is CVSS?) Base Metrics: 4.3 (Medium) [IPA Score] Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None Affected Products Opera Software ASA Opera browser for Android versions prior to 18 Impact When a user views a specially crafted page, the Opera browser for Android cookie file may be disclosed. Solution [Apply an Update] Apply the appropriate update for the version of the software being used. Vendor Information Opera Software ASA Opera : Security blog -- Security changes and features of Opera 19 CWE (What is CWE?) Permissions(CWE-264) [IPA Evaluation] CVE (What is CVE?) CVE-2014-0815 References JVN : JVN#23256725 Revision History [2014/02/06] Web page was published

References:

http://jvndb.jvn.jp/jvndb/JVNDB-2014-000014
http://jvn.jp/en/jp/JVN23256725/index.html
http://blogs.opera.com/security/2014/01/security-changes-features-opera-19/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top