qutebrowser is a keyboard-focused browser with a minimal GUI. It=EF=BF=BD =EF=BF=BD=EF=BF=BDs based on Python, PyQt5 and QtWebEngine and free software, licensed under the GPL. It was inspired by other browsers/addons like dwb and Vimperator/Pentadacty l.
{"nessus": [{"lastseen": "2021-08-19T12:15:22", "description": "Qutebrowser developers report :\n\nAfter a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https).\nWhile the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false which is not recommended), this could still provide a false sense of security.", "cvss3": {"score": 3.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N"}, "published": "2020-05-11T00:00:00", "type": "nessus", "title": "FreeBSD : qutebrowser -- Reloading page with certificate errors shows a green URL (452d16bb-920d-11ea-9d20-18a6f7016652)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-11054"], "modified": "2020-05-15T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:qutebrowser", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_452D16BB920D11EA9D2018A6F7016652.NASL", "href": "https://www.tenable.com/plugins/nessus/136442", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2020 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(136442);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/15\");\n\n script_cve_id(\"CVE-2020-11054\");\n\n script_name(english:\"FreeBSD : qutebrowser -- Reloading page with certificate errors shows a green URL (452d16bb-920d-11ea-9d20-18a6f7016652)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Qutebrowser developers report :\n\nAfter a certificate error was overridden by the user, qutebrowser\ndisplays the URL as yellow (colors.statusbar.url.warn.fg). However,\nwhen the affected website was subsequently loaded again, the URL was\nmistakenly displayed as green (colors.statusbar.url.success_https).\nWhile the user already has seen a certificate error prompt at this\npoint (or set content.ssl_strict to false which is not recommended),\nthis could still provide a false sense of security.\"\n );\n # https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6a4d2bca\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/qutebrowser/qutebrowser/issues/5403\"\n );\n # https://vuxml.freebsd.org/freebsd/452d16bb-920d-11ea-9d20-18a6f7016652.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?46fce791\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11054\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:qutebrowser\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"qutebrowser<1.11.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-10-16T00:07:47", "description": "We missed a few upstream releases but there's not breaking changes as far as I know. Lot of bug fixes and minor changes.\n\n----\n\nAddresses CVE-2020-11054: After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false which is not recommended), this could still provide a false sense of security. This is now fixed.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 3.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N"}, "published": "2020-09-21T00:00:00", "type": "nessus", "title": "Fedora 32 : qutebrowser (2020-f0812d6aad)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-11054"], "modified": "2020-09-23T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:qutebrowser", "cpe:/o:fedoraproject:fedora:32"], "id": "FEDORA_2020-F0812D6AAD.NASL", "href": "https://www.tenable.com/plugins/nessus/140676", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-f0812d6aad.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(140676);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/23\");\n\n script_cve_id(\"CVE-2020-11054\");\n script_xref(name:\"FEDORA\", value:\"2020-f0812d6aad\");\n\n script_name(english:\"Fedora 32 : qutebrowser (2020-f0812d6aad)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"We missed a few upstream releases but there's not breaking changes as\nfar as I know. Lot of bug fixes and minor changes.\n\n----\n\nAddresses CVE-2020-11054: After a certificate error was overridden by\nthe user, qutebrowser displays the URL as yellow\n(colors.statusbar.url.warn.fg). However, when the affected website was\nsubsequently loaded again, the URL was mistakenly displayed as green\n(colors.statusbar.url.success_https). While the user already has seen\na certificate error prompt at this point (or set content.ssl_strict to\nfalse which is not recommended), this could still provide a false\nsense of security. This is now fixed.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-f0812d6aad\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected qutebrowser package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:qutebrowser\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:32\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^32([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 32\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC32\", reference:\"qutebrowser-1.13.1-1.fc32\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qutebrowser\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "archlinux": [{"lastseen": "2021-07-28T14:33:58", "description": "Arch Linux Security Advisory ASA-202005-5\n=========================================\n\nSeverity: Low\nDate : 2020-05-07\nCVE-ID : CVE-2020-11054\nPackage : qutebrowser\nType : certificate verification bypass\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1152\n\nSummary\n=======\n\nThe package qutebrowser before version 1.11.1-1 is vulnerable to\ncertificate verification bypass.\n\nResolution\n==========\n\nUpgrade to 1.11.1-1.\n\n# pacman -Syu \"qutebrowser>=1.11.1-1\"\n\nThe problem has been fixed upstream in version 1.11.1.\n\nWorkaround\n==========\n\n* Treat any host with a certificate exception as insecure, ignoring the\nURL color\n\n* Or set content.ssl_strict to True (instead of 'ask'), preventing\ncertificate exceptions in the configuration\n\nDescription\n===========\n\nIn qutebrowser before version 1.11.1 there is an issue where after a\ncertificate error was overridden by the user, qutebrowser displays the\nURL as yellow (colors.statusbar.url.warn.fg). However, when the\naffected website was subsequently loaded again, the URL was mistakenly\ndisplayed as green (colors.statusbar.url.success_https). While the user\nalready has seen a certificate error prompt at this point (or set\ncontent.ssl_strict to false which is not recommended), this could still\nprovide a false sense of security.\n\nImpact\n======\n\nThe user might think the webpage is secure, when in reality it has an\ninvalid certificate.\n\nReferences\n==========\n\nhttps://github.com/qutebrowser/qutebrowser/commit/6821c236f9ae23adf21d46ce0d56768ac8d0c467\nhttps://github.com/qutebrowser/qutebrowser/commit/556fe81b3146e5cd2e77df9d8ce57aebbbd72eac\nhttps://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j\nhttps://security.archlinux.org/CVE-2020-11054", "cvss3": {"exploitabilityScore": 2.1, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 3.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 1.4}, "published": "2020-05-07T00:00:00", "type": "archlinux", "title": "[ASA-202005-5] qutebrowser: certificate verification bypass", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11054"], "modified": "2020-05-07T00:00:00", "id": "ASA-202005-5", "href": "https://security.archlinux.org/ASA-202005-5", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "freebsd": [{"lastseen": "2022-01-19T15:51:31", "description": "\n\nQutebrowser developers report:\n\nAfter a certificate error was overridden by the user,\n\t qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg).\n\t However, when the affected website was subsequently loaded again,\n\t the URL was mistakenly displayed as green (colors.statusbar.url.success_https).\n\t While the user already has seen a certificate error prompt at this point\n\t (or set content.ssl_strict to false which is not recommended),\n\t this could still provide a false sense of security.\n\n\n", "cvss3": {"exploitabilityScore": 2.1, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 3.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 1.4}, "published": "2020-05-02T00:00:00", "type": "freebsd", "title": "qutebrowser -- Reloading page with certificate errors shows a green URL", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11054"], "modified": "2020-05-02T00:00:00", "id": "452D16BB-920D-11EA-9D20-18A6F7016652", "href": "https://vuxml.freebsd.org/freebsd/452d16bb-920d-11ea-9d20-18a6f7016652.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "github": [{"lastseen": "2022-05-13T12:33:17", "description": "# Description\n\nAfter a certificate error was overridden by the user, qutebrowser displays the URL as yellow (`colors.statusbar.url.warn.fg`). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (`colors.statusbar.url.success_https`). While the user already has seen a certificate error prompt at this point (or set `content.ssl_strict` to `false` which is not recommended), this could still provide a false sense of security.\n\n# Affected versions and patches\n\nAll versions of qutebrowser are believed to be affected, though versions before v0.11.x couldn't be tested.\n\nThe issue is fixed in qutebrowser v1.11.1 (pending release) and v1.12.0 (unreleased). Backported patches for older versions are available, but no further releases are planned.\n\n# Mitigation\n\nIf you are unable to upgrade:\n\n- Treat any host with a certificate exception as insecure, ignoring the URL color\n- Or set `content.ssl_strict` to `True` (instead of `'ask'`), preventing certificate exceptions\n\n# References\n\n- qutebrowser issue: https://github.com/qutebrowser/qutebrowser/issues/5403\n- Fix (master branch): https://github.com/qutebrowser/qutebrowser/commit/021ab572a319ca3db5907a33a59774f502b3b975\n- Related issue for KDE Falkon: https://bugs.kde.org/show_bug.cgi?id=420902\n- Related issue for eric6 Web Browser: https://tracker.die-offenbachs.homelinux.org/eric/issue328 (fixed in eric6 20.6)", "cvss3": {"exploitabilityScore": 2.1, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 3.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2020-05-08T19:05:05", "type": "github", "title": "Incorrect Provision of Specified Functionality in qutebrowser", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11054"], "modified": "2022-04-19T19:02:25", "id": "GHSA-4RCQ-JV2F-898J", "href": "https://github.com/advisories/GHSA-4rcq-jv2f-898j", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "ubuntucve": [{"lastseen": "2021-11-22T21:26:30", "description": "In qutebrowser versions less than 1.11.1, reloading a page with certificate\nerrors shows a green URL. After a certificate error was overridden by the\nuser, qutebrowser displays the URL as yellow\n(colors.statusbar.url.warn.fg). However, when the affected website was\nsubsequently loaded again, the URL was mistakenly displayed as green\n(colors.statusbar.url.success_https). While the user already has seen a\ncertificate error prompt at this point (or set content.ssl_strict to false,\nwhich is not recommended), this could still provide a false sense of\nsecurity. This has been fixed in 1.11.1 and 1.12.0. All versions of\nqutebrowser are believed to be affected, though versions before v0.11.x\ncouldn't be tested. Backported patches for older versions (greater than or\nequal to 1.4.0 and less than or equal to 1.10.2) are available, but no\nfurther releases are planned.", "cvss3": {"exploitabilityScore": 2.1, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 3.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 1.4}, "published": "2020-05-07T00:00:00", "type": "ubuntucve", "title": "CVE-2020-11054", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11054"], "modified": "2020-05-07T00:00:00", "id": "UB:CVE-2020-11054", "href": "https://ubuntu.com/security/CVE-2020-11054", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "fedora": [{"lastseen": "2021-07-28T14:46:51", "description": "qutebrowser is a keyboard-focused browser with a minimal GUI. It=EF=BF=BD =EF=BF=BD=EF=BF=BDs based on Python, PyQt5 and QtWebEngine and free software, licensed under the GPL. It was inspired by other browsers/addons like dwb and Vimperator/Pentadacty l. ", "cvss3": {"exploitabilityScore": 2.1, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 3.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 1.4}, "published": "2020-09-13T14:19:02", "type": "fedora", "title": "[SECURITY] Fedora 31 Update: qutebrowser-1.11.1-1.fc31", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11054"], "modified": "2020-09-13T14:19:02", "id": "FEDORA:0CCE93095394", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7YWJ5QNHXKTGG5NLV7EGEOKPBVZBA5GS/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "debiancve": [{"lastseen": "2022-06-28T06:01:38", "description": "In qutebrowser versions less than 1.11.1, reloading a page with certificate errors shows a green URL. After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false, which is not recommended), this could still provide a false sense of security. This has been fixed in 1.11.1 and 1.12.0. All versions of qutebrowser are believed to be affected, though versions before v0.11.x couldn't be tested. Backported patches for older versions (greater than or equal to 1.4.0 and less than or equal to 1.10.2) are available, but no further releases are planned.", "cvss3": {"exploitabilityScore": 2.1, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 3.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2020-05-07T21:15:00", "type": "debiancve", "title": "CVE-2020-11054", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11054"], "modified": "2020-05-07T21:15:00", "id": "DEBIANCVE:CVE-2020-11054", "href": "https://security-tracker.debian.org/tracker/CVE-2020-11054", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "osv": [{"lastseen": "2022-05-12T01:25:52", "description": "In qutebrowser versions less than 1.11.1, reloading a page with certificate errors shows a green URL. After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false, which is not recommended), this could still provide a false sense of security. This has been fixed in 1.11.1 and 1.12.0. All versions of qutebrowser are believed to be affected, though versions before v0.11.x couldn't be tested. Backported patches for older versions (greater than or equal to 1.4.0 and less than or equal to 1.10.2) are available, but no further releases are planned.", "cvss3": {"exploitabilityScore": 2.1, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 3.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2020-05-07T21:15:00", "type": "osv", "title": "PYSEC-2020-97", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11054"], "modified": "2020-09-21T02:15:00", "id": "OSV:PYSEC-2020-97", "href": "https://osv.dev/vulnerability/PYSEC-2020-97", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-10T05:05:04", "description": "# Description\n\nAfter a certificate error was overridden by the user, qutebrowser displays the URL as yellow (`colors.statusbar.url.warn.fg`). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (`colors.statusbar.url.success_https`). While the user already has seen a certificate error prompt at this point (or set `content.ssl_strict` to `false` which is not recommended), this could still provide a false sense of security.\n\n# Affected versions and patches\n\nAll versions of qutebrowser are believed to be affected, though versions before v0.11.x couldn't be tested.\n\nThe issue is fixed in qutebrowser v1.11.1 (pending release) and v1.12.0 (unreleased). Backported patches for older versions are available, but no further releases are planned.\n\n# Mitigation\n\nIf you are unable to upgrade:\n\n- Treat any host with a certificate exception as insecure, ignoring the URL color\n- Or set `content.ssl_strict` to `True` (instead of `'ask'`), preventing certificate exceptions\n\n# References\n\n- qutebrowser issue: https://github.com/qutebrowser/qutebrowser/issues/5403\n- Fix (master branch): https://github.com/qutebrowser/qutebrowser/commit/021ab572a319ca3db5907a33a59774f502b3b975\n- Related issue for KDE Falkon: https://bugs.kde.org/show_bug.cgi?id=420902\n- Related issue for eric6 Web Browser: https://tracker.die-offenbachs.homelinux.org/eric/issue328 (fixed in eric6 20.6)", "cvss3": {"exploitabilityScore": 2.1, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 3.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2020-05-08T19:05:05", "type": "osv", "title": "Incorrect Provision of Specified Functionality in qutebrowser", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11054"], "modified": "2022-06-10T02:09:25", "id": "OSV:GHSA-4RCQ-JV2F-898J", "href": "https://osv.dev/vulnerability/GHSA-4rcq-jv2f-898j", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2022-03-23T12:07:11", "description": "In qutebrowser versions less than 1.11.1, reloading a page with certificate errors shows a green URL. After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false, which is not recommended), this could still provide a false sense of security. This has been fixed in 1.11.1 and 1.12.0. All versions of qutebrowser are believed to be affected, though versions before v0.11.x couldn't be tested. Backported patches for older versions (greater than or equal to 1.4.0 and less than or equal to 1.10.2) are available, but no further releases are planned.", "cvss3": {"exploitabilityScore": 2.1, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 3.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2020-05-07T21:15:00", "type": "cve", "title": "CVE-2020-11054", "cwe": ["CWE-684"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11054"], "modified": "2020-09-21T02:15:00", "cpe": [], "id": "CVE-2020-11054", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11054", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": []}]}
[SECURITY] Fedora 32 Update: qutebrowser-1.13.1-1.fc32
