*** This bug is a security vulnerability *** Public security bug reported:
https://github.com/qutebrowser/qutebrowser/issues/4060 Due to a CSRF vulnerability affecting the qute://settings page, it was possible for websites to modify qutebrowser settings. Via settings like editor.command, this possibly allowed websites to execute arbitrary code. This issue has been assigned CVE-2018-10895. ** Affects: qutebrowser (Ubuntu) Importance: Medium Status: Fix Released ** Affects: qutebrowser (Ubuntu Bionic) Importance: Medium Assignee: Simon Quigley (tsimonq2) Status: In Progress ** Tags: community-security ** Also affects: qutebrowser (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: qutebrowser (Ubuntu Bionic) Importance: Undecided => Medium ** Changed in: qutebrowser (Ubuntu Bionic) Assignee: (unassigned) => Simon Quigley (tsimonq2) ** Changed in: qutebrowser (Ubuntu) Status: New => Fix Released ** Changed in: qutebrowser (Ubuntu Bionic) Status: New => In Progress ** Changed in: qutebrowser (Ubuntu) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782456 Title: [CVE] Remote code execution due to CSRF on the qute://settings page To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qutebrowser/+bug/1782456/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
