CVE-2018-10895

Source
Severity Critical
Remote Yes
Type Arbitrary code execution
Description
Due to a CSRF vulnerability affecting the qute://settings page, it was possible for websites to modify qutebrowser settings. Via settings like 'editor.command', this possibly allowed websites to execute arbitrary code.
Group Package Affected Fixed Severity Status Ticket
AVG-735 qutebrowser 1.4.0-1 1.4.1-1 Critical Fixed
Date Advisory Group Package Severity Description
11 Jul 2018 ASA-201807-3 AVG-735 qutebrowser Critical arbitrary code execution
References
https://github.com/qutebrowser/qutebrowser/commit/43e58ac865ff862c2008c510fc5f7627e10b4660
https://github.com/qutebrowser/qutebrowser/issues/4060