CSRF in Opera Opera_browser

CVE-2013-1639

Opera before 12.13 does not send CORS preflight requests in all required cases, which allows remote attackers to bypass a CSRF protection mechanism via a crafted web site that triggers a CORS request.

Vulnerability class: CSRF (Cross-Site Request Forgery)

EPSS: 0.005 (38.1th percentile) — read the EPSS interpretation.

Affected products

Opera Opera_browser — versions 12.00, 12.01, 12.02
N/a — versions n/a

Weakness classification (CWE)

CWE-352 — Cross-Site Request Forgery (CSRF)

References

cve@mitre.org (x_refsource_CONFIRM)
openSUSE-SU-2013:0289 (vendor-advisory, x_refsource_SUSE)
cve@mitre.org (x_refsource_CONFIRM, Vendor Advisory)