CVE-2018-10895

qutebrowser before version 1.4.1 is vulnerable to a cross-site request forgery flaw that allows websites to access 'qute://*' URLs. A malicious website could exploit this to load a 'qute://settings/set' URL, which then sets 'editor.command' to a bash script, resulting in arbitrary code execution.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.3 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
redhatCNA
9.3 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 39%
VendorProductVersion
qutebrowserqutebrowser
𝑥
< 1.4.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
qutebrowser
bullseye
2.0.2-2
fixed
bookworm
2.5.3-1
fixed
sid
3.1.0-1
fixed
trixie
3.1.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
qutebrowser
bionic
Fixed 1.1.1-1ubuntu0.1
released
artful
dne
xenial
dne
trusty
dne
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2018/07/11/7
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10895
https://github.com/qutebrowser/qutebrowser/commit/43e58ac865ff862c2008c510fc5f7627e10b4660
http://www.openwall.com/lists/oss-security/2018/07/11/7
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10895
https://github.com/qutebrowser/qutebrowser/commit/43e58ac865ff862c2008c510fc5f7627e10b4660