[manjaro-security] [ASA-201806-13] qutebrowser: cross-site scripting
Morten Linderud
foxboron at archlinux.org
Tue Jun 26 21:58:13 CEST 2018
Arch Linux Security Advisory ASA-201806-13
==========================================
Severity: Medium
Date : 2018-06-26
CVE-ID : CVE-2018-1000559
Package : qutebrowser
Type : cross-site scripting
Remote : Yes
Link : https://security.archlinux.org/AVG-724
Summary
=======
The package qutebrowser before version 1.3.3-1 is vulnerable to cross-
site scripting.
Resolution
==========
Upgrade to 1.3.3-1.
# pacman -Syu "qutebrowser>=1.3.3-1"
The problem has been fixed upstream in version 1.3.3.
Workaround
==========
None.
Description
===========
qutebrowser before 1.3.3 contains a Cross Site Scripting (XSS)
vulnerability that can result in a website stealing the user's browsing
history. This attack can be exploitable by tricking the victim into
opening a page with a specially crafted <title> attribute, and then
opening the qute://history site via the :history command.
Impact
======
A remote attacker is able to steal the browser history with a specially
crafted web page title.
References
==========
https://github.com/qutebrowser/qutebrowser/commit/4c9360237f186681b1e3f2a0f30c45161cf405c7
https://github.com/qutebrowser/qutebrowser/issues/4011
https://security.archlinux.org/CVE-2018-1000559
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20180626/d5f2f9c3/attachment.sig>
More information about the manjaro-security
mailing list