CVE-2018-1000559 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2018-1000559 Interim 1 11 2025-02-17T02:27:01Z current 2021-05-30T14:20:41Z 2025-02-17T02:27:01Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2018-1000559 qutebrowser version introduced in v0.11.0 (1179ee7a937fb31414d77d9970bac21095358449) contains a Cross Site Scripting (XSS) vulnerability in history command, qute://history page that can result in Via injected JavaScript code, a website can steal the user's browsing history. This attack appear to be exploitable via the victim must open a page with a specially crafted <title> attribute, and then open the qute://history site via the :history command. This vulnerability appears to have been fixed in fixed in v1.3.3 (4c9360237f186681b1e3f2a0f30c45161cf405c7, to be released today) and v1.4.0 (5a7869f2feaa346853d2a85413d6527c87ef0d9f, released later this week). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XXYOXNSEXFCJEQ5USVGOESTI3YHYQT7P/#XXYOXNSEXFCJEQ5USVGOESTI3YHYQT7P E-Mail link for openSUSE-SU-2018:2120-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HQHO7IDKQ5OTPUWY3WTKF25QOWIMADZK/#HQHO7IDKQ5OTPUWY3WTKF25QOWIMADZK E-Mail link for openSUSE-SU-2018:2130-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 15.0 openSUSE Tumbleweed qutebrowser-1.4.1-lp150.2.3.1 qutebrowser-2.3.1-2.1 qutebrowser-1.4.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 qutebrowser-2.3.1-2.1 as a component of openSUSE Tumbleweed qutebrowser version introduced in v0.11.0 (1179ee7a937fb31414d77d9970bac21095358449) contains a Cross Site Scripting (XSS) vulnerability in history command, qute://history page that can result in Via injected JavaScript code, a website can steal the user's browsing history. This attack appear to be exploitable via the victim must open a page with a specially crafted <title> attribute, and then open the qute://history site via the :history command. This vulnerability appears to have been fixed in fixed in v1.3.3 (4c9360237f186681b1e3f2a0f30c45161cf405c7, to be released today) and v1.4.0 (5a7869f2feaa346853d2a85413d6527c87ef0d9f, released later this week). CVE-2018-1000559 openSUSE Leap 15.0:qutebrowser-1.4.1-lp150.2.3.1 openSUSE Tumbleweed:qutebrowser-2.3.1-2.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N