[ASA-201806-13] qutebrowser: cross-site scripting
foxboron at archlinux.org
Tue Jun 26 19:58:13 UTC 2018
Arch Linux Security Advisory ASA-201806-13
Date : 2018-06-26
CVE-ID : CVE-2018-1000559
Package : qutebrowser
Type : cross-site scripting
Remote : Yes
Link : https://security.archlinux.org/AVG-724
The package qutebrowser before version 1.3.3-1 is vulnerable to cross-
Upgrade to 1.3.3-1.
# pacman -Syu "qutebrowser>=1.3.3-1"
The problem has been fixed upstream in version 1.3.3.
qutebrowser before 1.3.3 contains a Cross Site Scripting (XSS)
vulnerability that can result in a website stealing the user's browsing
history. This attack can be exploitable by tricking the victim into
opening a page with a specially crafted <title> attribute, and then
opening the qute://history site via the :history command.
A remote attacker is able to steal the browser history with a specially
crafted web page title.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the arch-security