Lucene search

Veracode Vulnerability DatabaseVERACODE:7039

HistoryJul 12, 2018 - 7:56 a.m.

Remote Code Execution (RCE)

2018-07-1207:56:01

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

0.002 Low

EPSS

Percentile

57.3%

JSON

qutebrowser is vulnerable to remote code execution (RCE) through cross-site request forgery (CSRF) attacks. The vulnerability exists due to a CSRF issue which allows a website with an `` tag to load the qute://settings/set URL which sets editor.command into a bash script, resulting in RCE attacks.

CPENameOperatorVersion
qutebrowsereq1.4.0
qutebrowserle1.2.1
qutebrowserle1.1.2
qutebrowserle1.3.3

Name	Operator	Version
qutebrowser	eq	1.4.0
qutebrowser	le	1.2.1
qutebrowser	le	1.1.2
qutebrowser	le	1.3.3

References

seclists.org/oss-sec/2018/q3/29

www.openwall.com/lists/oss-security/2018/07/11/7

bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10895

github.com/qutebrowser/qutebrowser/commit/22148ce488da52e8a0e01ed937c0cfdb24d34775

github.com/qutebrowser/qutebrowser/commit/43e58ac865ff862c2008c510fc5f7627e10b4660

github.com/qutebrowser/qutebrowser/commit/c2ff32d92ba9bf40ff53498ee04a4124d4993c85

github.com/qutebrowser/qutebrowser/commit/c3361c31b370140f323e481dd455450b1e74c099

github.com/qutebrowser/qutebrowser/commit/ff686ff7f395d83e5ac48507ecfae0b0e97a61ef

github.com/qutebrowser/qutebrowser/issues/4060

0.002 Low

EPSS

Percentile

57.3%

JSON

Related for VERACODE:7039