4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
39.5%
Severity: Medium
Date : 2018-06-26
CVE-ID : CVE-2018-1000559
Package : qutebrowser
Type : cross-site scripting
Remote : Yes
Link : https://security.archlinux.org/AVG-724
The package qutebrowser before version 1.3.3-1 is vulnerable to cross-
site scripting.
Upgrade to 1.3.3-1.
The problem has been fixed upstream in version 1.3.3.
None.
qutebrowser before 1.3.3 contains a Cross Site Scripting (XSS)
vulnerability that can result in a website stealing the user’s browsing
history. This attack can be exploitable by tricking the victim into
opening a page with a specially crafted <title> attribute, and then
opening the qute://history site via the :history command.
A remote attacker is able to steal the browser history with a specially
crafted web page title.
https://github.com/qutebrowser/qutebrowser/commit/4c9360237f186681b1e3f2a0f30c45161cf405c7
https://github.com/qutebrowser/qutebrowser/issues/4011
https://security.archlinux.org/CVE-2018-1000559
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ArchLinux | any | any | qutebrowser | < 1.3.3-1 | UNKNOWN |
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
39.5%