attribute, and then opening the qute://history site via the :history command. Impact ====== A remote attacker is able to steal the browser history with a specially crafted web page title. References ========== https://github.com/qutebrowser/qutebrowser/commit/4c9360237f186681b1e3f2a0f30c45161cf405c7 https://github.com/qutebrowser/qutebrowser/issues/4011 https://security.archlinux.org/CVE-2018-1000559

Arch Linux Security Advisory ASA-201806-13
==========================================

Severity: Medium
Date    : 2018-06-26
CVE-ID  : CVE-2018-1000559
Package : qutebrowser
Type    : cross-site scripting
Remote  : Yes
Link    : https://security.archlinux.org/AVG-724

Summary
=======

The package qutebrowser before version 1.3.3-1 is vulnerable to cross-
site scripting.

Resolution
==========

Upgrade to 1.3.3-1.

# pacman -Syu "qutebrowser>=1.3.3-1"

The problem has been fixed upstream in version 1.3.3.

Workaround
==========

None.

Description
===========

qutebrowser before 1.3.3 contains a Cross Site Scripting (XSS)
vulnerability that can result in a website stealing the user's browsing
history. This attack can be exploitable by tricking the victim into
opening a page with a specially crafted <title> attribute, and then
opening the qute://history site via the :history command.

Impact
======

A remote attacker is able to steal the browser history with a specially
crafted web page title.

References
==========

https://github.com/qutebrowser/qutebrowser/commit/4c9360237f186681b1e3f2a0f30c45161cf405c7
https://github.com/qutebrowser/qutebrowser/issues/4011
https://security.archlinux.org/CVE-2018-1000559