Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Arbitrary command execution on Windows in qutebrowser
Vulnerability Description
qutebrowser is an open source keyboard-focused browser with a minimal GUI. Starting with qutebrowser v1.7.0, the Windows installer for qutebrowser registers a `qutebrowserurl:` URL handler. With certain applications, opening a specially crafted `qutebrowserurl:...` URL can lead to execution of qutebrowser commands, which in turn allows arbitrary code execution via commands such as `:spawn` or `:debug-pyeval`. Only Windows installs where qutebrowser is registered as URL handler are affected. The issue has been fixed in qutebrowser v2.4.0. The fix also adds additional hardening for potential similar issues on Linux (by adding the new --untrusted-args flag to the .desktop file), though no such vulnerabilities are known.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Vulnerability Type
在命令中使用的特殊元素转义处理不恰当(命令注入)
Vulnerability Title
qutebrowser 命令注入漏洞
Vulnerability Description
qutebrowser是一款基于Python和PyQt5的开源键盘浏览器。 qutebrowser 存在安全漏洞,该漏洞源于 qtebrowser 的 Windows 安装程序注册了一个 qutebrowserurl: URL 处理程序。对于某些应用程序,打开特制的 qutebrowserurl:... URL 会导致执行 qtebrowser 命令,这反过来又允许通过诸如 :spawn 或 :debug-pyeval 之类的命令执行任意代码。
CVSS Information
N/A
Vulnerability Type
N/A