Skip to content

Qutebrowser CSRF Vulnerability

High severity GitHub Reviewed Published Oct 10, 2018 to the GitHub Advisory Database • Updated Aug 31, 2023

Package

pip qutebrowser (pip)

Affected versions

< 1.4.1

Patched versions

1.4.1

Description

qutebrowser before version 1.4.1 is vulnerable to a cross-site request forgery flaw that allows websites to access qute://* URLs. A malicious website could exploit this to load a qute://settings/set URL, which then sets editor.command to a bash script, resulting in arbitrary code execution.

References

Published to the GitHub Advisory Database Oct 10, 2018
Reviewed Jun 16, 2020
Last updated Aug 31, 2023

Severity

High
8.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2018-10895

GHSA ID

GHSA-wgmx-52ph-qqcw

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.