CVE-2009-3265 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3265): Cross-site scripting (XSS) vulnerability in Opera 9 and 10 allows remote attackers to inject arbitrary web script or HTML via a (1) RSS or (2) Atom feed, related to the rendering of the application/rss+xml content type as "scripted content." NOTE: the vendor reportedly considers this behavior a "design feature," not a vulnerability.
CVE-2009-3266 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3266): Unspecified vulnerability in Opera 9 and 10 allows remote attackers to conduct cross-site scripting (XSS) attacks and obtain "complete control over feeds" via a (1) RSS or (2) Atom feed, related to the rendering of the application/rss+xml content type as "scripted content."
jer, was this fixed in 10.01?
Looks like [1] to me: "Opera may allow scripts to run on the feed subscription page, thereby gaining access to the feeds object. This can be used for automatic subscription of feeds, or reading other feeds." [1] http://www.opera.com/support/kb/view/939/ as mentioned in CVE-2009-3266 as well as the change logs for 10.01. So yes, I guess this is fixed. :)
Thanks! Ready to vote, I vote NO.
No too, closing.
