Manipulating certain text-area contents can cause a buffer
overflow, which may be exploited to execute arbitrary code.
Certain HTML constructs can cause the resulting DOM to change
unexpectedly, which triggers a crash. To inject code, additional
techniques will have to be employed.
Exceptionally long host names in file: URLs can cause a buffer
overflow, which may be exploited to execute arbitrary code. Remote Web
pages cannot refer to file: URLs, so successful exploitation involves
tricking users into manually opening the exploit URL, or a local file
that refers to it.
When Opera is previewing a news feed, some scripted URLs are not
correctly blocked. These can execute scripts which are able to
subscribe the user to any feed URL that the attacker chooses, and can
also view the contents of any feeds that the user is subscribed to.
These may contain sensitive information.
Built-in XSLT templates incorrectly handle escaped content and can
cause it to be treated as markup. If a site accepts content from
untrusted users, which it then displays using XSLT as escaped strings,
this can allow scripted markup to be injected. The scripts will then
be executed in the security context of that site.