Arch Linux Security Advisory ASA-201806-13 ========================================== Severity: Medium Date : 2018-06-26 CVE-ID : CVE-2018-1000559 Package : qutebrowser Type : cross-site scripting Remote : Yes Link : https://security.archlinux.org/AVG-724 Summary ======= The package qutebrowser before version 1.3.3-1 is vulnerable to cross- site scripting. Resolution ========== Upgrade to 1.3.3-1. # pacman -Syu "qutebrowser>=1.3.3-1" The problem has been fixed upstream in version 1.3.3. Workaround ========== None. Description =========== qutebrowser before 1.3.3 contains a Cross Site Scripting (XSS) vulnerability that can result in a website stealing the user's browsing history. This attack can be exploitable by tricking the victim into opening a page with a specially crafted attribute, and then opening the qute://history site via the :history command. Impact ====== A remote attacker is able to steal the browser history with a specially crafted web page title. References ========== https://github.com/qutebrowser/qutebrowser/commit/4c9360237f186681b1e3f2a0f30c45161cf405c7 https://github.com/qutebrowser/qutebrowser/issues/4011 https://security.archlinux.org/CVE-2018-1000559