Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
CVE-2018-10895: Remote code execution due to CSRF on the qute://settings page #4060
Due to a CSRF vulnerability affecting the
This issue has been assigned CVE-2018-10895.
The issue was introduced in v1.0.0, as part of commit ffc29ee.
It was fixed in the v1.4.1 release, in commit 43e58ac.
All releases between v1.0.0 and v1.4.0 (inclusive) are affected.
2018-07-09: I was made aware of the original issue privately (initially
2018-07-10: Slightly updated patch sent to the distros mailinglist.
2018-07-11: Public disclosure.
Please upgrade to v1.4.1 or apply the patches above.
Note that disabling loading of
As a workaround, it's possible to patch out the vulnerable code via a
from qutebrowser.browser import qutescheme qutescheme._qute_settings_set = lambda url: ('text/html', '')
While there is no known exploit for this in the wild, users are advised to