{"api_version":"1","generated_at":"2026-04-23T01:19:15+00:00","cve":"CVE-2020-6159","urls":{"html":"https://cve.report/CVE-2020-6159","api":"https://cve.report/api/cve/CVE-2020-6159.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-6159","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-6159"},"summary":{"title":"CVE-2020-6159","description":"URLs using “javascript:” have the protocol removed when pasted into the address bar to protect users from cross-site scripting (XSS) attacks, but in certain circumstances this removal was not performed. This could allow users to be socially engineered to run an XSS attack against themselves. This vulnerability affects Opera for Android versions below 61.0.3076.56532.","state":"PUBLIC","assigner":"security@opera.com","published_at":"2020-12-23 16:15:00","updated_at":"2020-12-23 19:27:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://security.opera.com/cross-site-scripting-in-ofa-opera-security-advisories/","name":"https://security.opera.com/cross-site-scripting-in-ofa-opera-security-advisories/","refsource":"MISC","tags":["Vendor Advisory"],"title":"Cross-site Scripting in OfA – Opera Security Advisories - Opera Security Corner","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-6159","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-6159","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"6159","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"opera","cpe5":"opera","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"android","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"6159","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"opera","cpe5":"opera","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"android","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2020-6159","ASSIGNER":"security@opera.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"Opera for Android","version":{"version_data":[{"version_value":"Below 61.0.3076.56532"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Cross-site Scripting (CWE-79)"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://security.opera.com/cross-site-scripting-in-ofa-opera-security-advisories/","url":"https://security.opera.com/cross-site-scripting-in-ofa-opera-security-advisories/"}]},"description":{"description_data":[{"lang":"eng","value":"URLs using “javascript:” have the protocol removed when pasted into the address bar to protect users from cross-site scripting (XSS) attacks, but in certain circumstances this removal was not performed. This could allow users to be socially engineered to run an XSS attack against themselves. This vulnerability affects Opera for Android versions below 61.0.3076.56532."}]}},"nvd":{"publishedDate":"2020-12-23 16:15:00","lastModifiedDate":"2020-12-23 19:27:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:opera:opera:*:*:*:*:*:android:*:*","versionEndExcluding":"61.0.3076.56532","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"6159","Ordinal":"166409","Title":"CVE-2020-6159","CVE":"CVE-2020-6159","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"6159","Ordinal":"1","NoteData":"URLs using “javascript:” have the protocol removed when pasted into the address bar to protect users from cross-site scripting (XSS) attacks, but in certain circumstances this removal was not performed. This could allow users to be socially engineered to run an XSS attack against themselves. This vulnerability affects Opera for Android versions below 61.0.3076.56532.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"6159","Ordinal":"2","NoteData":"2020-12-23","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"6159","Ordinal":"3","NoteData":"2020-12-23","Type":"Other","Title":"Modified"}]}}}