CVE-2021-23253 - OpenCVE

Opera Mini for Android below 53.1 displays URL left-aligned in the address field. This allows a malicious attacker to craft a URL with a long domain name, e.g. www.safe.opera.com.attacker.com. With the URL being left-aligned, the user will only see the front part (e.g. www.safe.opera.com…) The exact amount depends on the phone screen size but the attacker can craft a number of different domains and target different phones. Starting with version 53.1 Opera Mini displays long URLs with the top-level domain label aligned to the right of the address field which mitigates the issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Opera	Opera Mini

Configuration 1 [-]

cpe:2.3:a:opera:opera_mini:*:*:*:*:*:android:*:*

No data.

References

Link	Providers
https://security.opera.com/address-bar-spoofing-in-opera-mini-opera-security-advisories/

History

No history.

MITRE

Status: PUBLISHED

Assigner: Opera

Published: 2021-01-11T15:43:01

Updated: 2024-08-03T19:05:55.603Z

Reserved: 2021-01-08T00:00:00

Link: CVE-2021-23253

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-01-11T16:15:15.663

Modified: 2021-01-20T02:42:07.597

Link: CVE-2021-23253

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Opera Mini for Android", "vendor": "n/a", "versions": [{"status": "affected", "version": "Below 53.1"}]}], "descriptions": [{"lang": "en", "value": "Opera Mini for Android below 53.1 displays URL left-aligned in the address field. This allows a malicious attacker to craft a URL with a long domain name, e.g. www.safe.opera.com.attacker.com. With the URL being left-aligned, the user will only see the front part (e.g. www.safe.opera.com\u2026) The exact amount depends on the phone screen size but the attacker can craft a number of different domains and target different phones. Starting with version 53.1 Opera Mini displays long URLs with the top-level domain label aligned to the right of the address field which mitigates the issue."}], "problemTypes": [{"descriptions": [{"description": "Address bar spoofing", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-01-11T15:43:01", "orgId": "9aee7086-24f5-48b4-9428-908ac90b8b54", "shortName": "Opera"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://security.opera.com/address-bar-spoofing-in-opera-mini-opera-security-advisories/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@opera.com", "ID": "CVE-2021-23253", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Opera Mini for Android", "version": {"version_data": [{"version_value": "Below 53.1"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Opera Mini for Android below 53.1 displays URL left-aligned in the address field. This allows a malicious attacker to craft a URL with a long domain name, e.g. www.safe.opera.com.attacker.com. With the URL being left-aligned, the user will only see the front part (e.g. www.safe.opera.com\u2026) The exact amount depends on the phone screen size but the attacker can craft a number of different domains and target different phones. Starting with version 53.1 Opera Mini displays long URLs with the top-level domain label aligned to the right of the address field which mitigates the issue."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Address bar spoofing"}]}]}, "references": {"reference_data": [{"name": "https://security.opera.com/address-bar-spoofing-in-opera-mini-opera-security-advisories/", "refsource": "CONFIRM", "url": "https://security.opera.com/address-bar-spoofing-in-opera-mini-opera-security-advisories/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:05:55.603Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.opera.com/address-bar-spoofing-in-opera-mini-opera-security-advisories/"}]}]}, "cveMetadata": {"assignerOrgId": "9aee7086-24f5-48b4-9428-908ac90b8b54", "assignerShortName": "Opera", "cveId": "CVE-2021-23253", "datePublished": "2021-01-11T15:43:01", "dateReserved": "2021-01-08T00:00:00", "dateUpdated": "2024-08-03T19:05:55.603Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opera:opera_mini:*:*:*:*:*:android:*:*", "matchCriteriaId": "EA9B517F-93FF-4082-8F4E-622860AC3668", "versionEndExcluding": "53.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Opera Mini for Android below 53.1 displays URL left-aligned in the address field. This allows a malicious attacker to craft a URL with a long domain name, e.g. www.safe.opera.com.attacker.com. With the URL being left-aligned, the user will only see the front part (e.g. www.safe.opera.com\u2026) The exact amount depends on the phone screen size but the attacker can craft a number of different domains and target different phones. Starting with version 53.1 Opera Mini displays long URLs with the top-level domain label aligned to the right of the address field which mitigates the issue."}, {"lang": "es", "value": "Opera Mini para Android versiones por debajo de 53.1, muestra la URL alineada a la izquierda en el campo de direcci\u00f3n. Esto permite a un atacante malicioso crear una URL con un nombre de dominio largo, por ejemplo, www.safe.opera.com.attacker.com. Con la URL alineada a la izquierda, el usuario solo ver\u00e1 la parte frontal (por ejemplo, www.safe.opera.com ...) La cantidad exacta depende del tama\u00f1o de la pantalla del tel\u00e9fono, pero el atacante puede crear varios dominios diferentes y apuntar a diferentes tel\u00e9fonos . A partir de la versi\u00f3n 53.1, Opera Mini muestra URL largas con la etiqueta de dominio de nivel superior alineada a la derecha del campo de direcci\u00f3n, lo que mitiga el problema"}], "id": "CVE-2021-23253", "lastModified": "2021-01-20T02:42:07.597", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-01-11T16:15:15.663", "references": [{"source": "security@opera.com", "tags": ["Vendor Advisory"], "url": "https://security.opera.com/address-bar-spoofing-in-opera-mini-opera-security-advisories/"}], "sourceIdentifier": "security@opera.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}