CVE-2018-10895: Qutebrowser CSRF Vulnerability
(updated )
qutebrowser before version 1.4.1 is vulnerable to a cross-site request forgery flaw that allows websites to access qute://* URLs. A malicious website could exploit this to load a qute://settings/set URL, which then sets editor.command to a bash script, resulting in arbitrary code execution.
References
- bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10895
- github.com/advisories/GHSA-wgmx-52ph-qqcw
- github.com/pypa/advisory-database/tree/main/vulns/qutebrowser/PYSEC-2018-27.yaml
- github.com/qutebrowser/qutebrowser
- github.com/qutebrowser/qutebrowser/commit/43e58ac865ff862c2008c510fc5f7627e10b4660
- nvd.nist.gov/vuln/detail/CVE-2018-10895
Detect and mitigate CVE-2018-10895 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →