CVE-2019-19788 - OpenCVE

Opera for Android before 54.0.2669.49432 is vulnerable to a sandboxed cross-origin iframe bypass attack. By using a service working inside a sandboxed iframe it is possible to bypass the normal sandboxing attributes. This allows an attacker to make forced redirections without any user interaction from a third-party context.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:L/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Opera	Opera

Configuration 1 [-]

cpe:2.3:a:opera:opera:*:*:*:*:*:android:*:*

No data.

References

Link	Providers
https://security.opera.com/bypass-a-restriction-in-ofa-54-opera-security-advisories/

History

No history.

MITRE

Status: PUBLISHED

Assigner: Opera

Published: 2019-12-18T21:31:10

Updated: 2024-08-05T02:25:12.685Z

Reserved: 2019-12-13T00:00:00

Link: CVE-2019-19788

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-12-18T22:15:13.677

Modified: 2020-01-07T18:21:54.803

Link: CVE-2019-19788

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Opera for Android", "vendor": "Opera Software AS", "versions": [{"status": "affected", "version": "Below 54.0.2669.49432"}]}], "descriptions": [{"lang": "en", "value": "Opera for Android before 54.0.2669.49432 is vulnerable to a sandboxed cross-origin iframe bypass attack. By using a service working inside a sandboxed iframe it is possible to bypass the normal sandboxing attributes. This allows an attacker to make forced redirections without any user interaction from a third-party context."}], "problemTypes": [{"descriptions": [{"description": "Bypass a restriction or similar", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-12-18T21:31:10", "orgId": "9aee7086-24f5-48b4-9428-908ac90b8b54", "shortName": "Opera"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://security.opera.com/bypass-a-restriction-in-ofa-54-opera-security-advisories/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@opera.com", "ID": "CVE-2019-19788", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Opera for Android", "version": {"version_data": [{"version_value": "Below 54.0.2669.49432"}]}}]}, "vendor_name": "Opera Software AS"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Opera for Android before 54.0.2669.49432 is vulnerable to a sandboxed cross-origin iframe bypass attack. By using a service working inside a sandboxed iframe it is possible to bypass the normal sandboxing attributes. This allows an attacker to make forced redirections without any user interaction from a third-party context."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Bypass a restriction or similar"}]}]}, "references": {"reference_data": [{"name": "https://security.opera.com/bypass-a-restriction-in-ofa-54-opera-security-advisories/", "refsource": "MISC", "url": "https://security.opera.com/bypass-a-restriction-in-ofa-54-opera-security-advisories/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T02:25:12.685Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://security.opera.com/bypass-a-restriction-in-ofa-54-opera-security-advisories/"}]}]}, "cveMetadata": {"assignerOrgId": "9aee7086-24f5-48b4-9428-908ac90b8b54", "assignerShortName": "Opera", "cveId": "CVE-2019-19788", "datePublished": "2019-12-18T21:31:10", "dateReserved": "2019-12-13T00:00:00", "dateUpdated": "2024-08-05T02:25:12.685Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opera:opera:*:*:*:*:*:android:*:*", "matchCriteriaId": "7E01E634-882C-4D4C-A906-3052EC09A396", "versionEndExcluding": "54.0.2669.49432", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Opera for Android before 54.0.2669.49432 is vulnerable to a sandboxed cross-origin iframe bypass attack. By using a service working inside a sandboxed iframe it is possible to bypass the normal sandboxing attributes. This allows an attacker to make forced redirections without any user interaction from a third-party context."}, {"lang": "es", "value": "Opera para Android versiones anteriores a 54.0.2669.49432, es vulnerable a un ataque de omisi\u00f3n de iframe de origen cruzado dentro del sandbox. Al utilizar un servicio que funciona dentro de un iframe del sandbox, es posible omitir los atributos normales del sandbox. Esto permite a un atacante realizar redireccionamientos forzados sin ninguna interacci\u00f3n del usuario desde un contexto de terceros."}], "id": "CVE-2019-19788", "lastModified": "2020-01-07T18:21:54.803", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-12-18T22:15:13.677", "references": [{"source": "security@opera.com", "tags": ["Vendor Advisory"], "url": "https://security.opera.com/bypass-a-restriction-in-ofa-54-opera-security-advisories/"}], "sourceIdentifier": "security@opera.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}