CVE-2018-1000559

Advisory

In qutebrowser 1.3.3, an XSS vulnerability on the `qute://history` page allowed websites to inject HTML into the page via a crafted title tag. This could allow them to steal your browsing history. If you're currently unable to upgrade, avoid using `:history`. See CVE-2018-1000559.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Changed

- Windows/macOS releases now ship with Qt 5.12.6. This includes security fixes
up to Chromium 77.0.3865.120 plus a security fix for CVE-2019-13720 from
Chromium 78.

Fixed

- Unbinding keys via `config.bind(key, None)` accidentally worked in
v1.7.0 but raises an exception in v1.8.0. It now works again, but is
deprecated and shows an error. Note that `:config-py-write` did write
such invalid lines before v1.8.0, so existing config files might need
adjustments.
- The `readability-js` userscript now handles encodings correctly (which it
didn't before for some websites).
- <Shift-Insert> can now be used to paste text starting with a hyphen.
- Following hints via the number keypad now works properly again.
- Errors while reading the state file are now displayed instead of causing a
crash.
- Crash when using `:debug-log-level` without a console attached.
- Downloads are now hidden properly when the browser is in fullscreen mode.
- Crash when setting `colors.webpage.bg` to an empty value with QtWebKit.
- Crash when the history database file is not a proper sqlite database.
- Workaround for missing/broken error pages on Debian.
- A deprecation warning (caused by pywin32) about the imp module on Windows is
now hidden.

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000559
• https://github.com/qutebrowser/qutebrowser/issues/4011
• https://github.com/qutebrowser/qutebrowser/commit/5a7869f2feaa346853d2a85413d6527c87ef0d9f
• https://github.com/qutebrowser/qutebrowser/commit/4c9360237f186681b1e3f2a0f30c45161cf405c7