CVE-2018-10895: Possible remote code execution via CSRF in qute://settings
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
qutebrowser (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Bionic |
Fix Released
|
Medium
|
Simon Quigley |
Bug Description
qutebrowser 1.0.0 to 1.4.0 allows websites to change configuration settings via the qute://settings page by using CSRF. E.g. via the editor setting, this can very likely lead to a remote code execution. This has been fixed in 1.4.1 uploaded to Debian Unstablea few hours ago. Patches for earlier releases are available upstream.
Details at upstream and OSS security:
http://
https:/
Introduced in: https:/
Fixed in: https:/
Ubuntu is affected in Bionic (1.1.1-1) and Cosmic (1.4.0-1).
CVE References
information type: | Private Security → Public Security |
tags: | added: community-security |
Changed in qutebrowser (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in qutebrowser (Ubuntu): | |
importance: | Undecided → Medium |
Changed in qutebrowser (Ubuntu Bionic): | |
importance: | Undecided → Medium |
Changed in qutebrowser (Ubuntu): | |
assignee: | nobody → Simon Quigley (tsimonq2) |
Changed in qutebrowser (Ubuntu Bionic): | |
assignee: | nobody → Simon Quigley (tsimonq2) |
Changed in qutebrowser (Ubuntu): | |
assignee: | Simon Quigley (tsimonq2) → nobody |
Changed in qutebrowser (Ubuntu): | |
status: | Confirmed → Fix Released |
Meh, can't link this bug report to a CVE report as Launchpad claims that "CVE-2018-10895 is not a valid CVE number". But it obviously is.