| Description |
| + |
Starting with qutebrowser v1.7.0, the Windows installer for qutebrowser registers it as a handler for certain URL schemes. With some applications such as Outlook Desktop, opening a specially crafted URL can lead to argument injection, allowing execution of qutebrowser commands, which in turn allows arbitrary code execution via commands such as :spawn or :debug-pyeval. |
| + |
|
| + |
Only Windows installs where qutebrowser is registered as URL handler are affected. It does not have to be set as default browser for the exploit to work. |
| + |
|
| + |
The fix also adds additional hardening for potential similar issues on Linux (by adding the new --untrusted-args flag to the .desktop file), though no such vulnerabilities are known. |
|