Explore top 10 tips to secure your open-source projects now. Read More
×
Arch Linux Security Advisory ASA-201806-13 ========================================= Severity: Medium Date : 2018-06-26 CVE-ID : CVE-2018-1000559 Package : qutebrowser Type : cross-site scripting Remote : Yes Link : https://security.archlinux.org/AVG-724 Summary ====== The package qutebrowser before version 1.3.3-1 is vulnerable to cross-site scripting. Resolution ========= Upgrade to 1.3.3-1. # pacman -Syu "qutebrowser>=1.3.3-1" The problem has been fixed upstream in version 1.3.3. Workaround ========= None. Description ========== qutebrowser before 1.3.3 contains a Cross Site Scripting (XSS) vulnerability that can result in a website stealing the user's browsing history. This attack can be exploitable by tricking the victim into opening a page with a specially craftedattribute, and then opening the qute://history site via the :history command. Impact ===== A remote attacker is able to steal the browser history with a specially crafted web page title. References ========= https://github.com/qutebrowser/qutebrowser/commit/4c9360237f186681b1e3f2a0f30c45161cf405c7 https://github.com/qutebrowser/qutebrowser/issues/4011 https://security.archlinux.org/CVE-2018-1000559