FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

qutebrowser -- Remote code execution due to CSRF

Affected packages
1.4.0 <= qutebrowser < 1.4.1
1.0.0 <= qutebrowser < 1.3.3_1

Details

VuXML ID bd6cf187-8710-11e8-833d-18a6f7016652
Discovery 2018-07-11
Entry 2018-07-14

qutebrowser team reports:

Due to a CSRF vulnerability affecting the qute://settings page, it was possible for websites to modify qutebrowser settings. Via settings like editor.command, this possibly allowed websites to execute arbitrary code.

References

CVE Name CVE-2018-10895
URL http://seclists.org/oss-sec/2018/q3/29