PYSEC-2018-26

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/qutebrowser/PYSEC-2018-26.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2018-26

Aliases

Published

2018-06-26T16:29:00Z

Modified

2023-11-08T03:59:39.021146Z

Summary

[none]

Details

qutebrowser version introduced in v0.11.0 (1179ee7a937fb31414d77d9970bac21095358449) contains a Cross Site Scripting (XSS) vulnerability in history command, qute://history page that can result in Via injected JavaScript code, a website can steal the user's browsing history. This attack appear to be exploitable via the victim must open a page with a specially crafted <title> attribute, and then open the qute://history site via the :history command. This vulnerability appears to have been fixed in fixed in v1.3.3 (4c9360237f186681b1e3f2a0f30c45161cf405c7, to be released today) and v1.4.0 (5a7869f2feaa346853d2a85413d6527c87ef0d9f, released later this week).

References

Affected packages

PyPI / qutebrowser

Package

Name: qutebrowser; View open source insights on deps.dev
Purl: pkg:pypi/qutebrowser

Affected ranges

Type: GIT
Repo: https://github.com/qutebrowser/qutebrowser
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

5a7869f2feaa346853d2a85413d6527c87ef0d9f

Fixed

4c9360237f186681b1e3f2a0f30c45161cf405c7

Type: ECOSYSTEM
Events: Introduced

0.11.0

Fixed

1.3.3

Affected versions

0.*

0.11.0

0.11.1

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.1.0

1.1.1

1.1.2

1.2.0

1.2.1

1.3.0

1.3.1

1.3.2