pysec-2018-26
Vulnerability from pysec
Published
2018-06-26 16:29
Modified
2021-06-10 06:51
Details

qutebrowser version introduced in v0.11.0 (1179ee7a937fb31414d77d9970bac21095358449) contains a Cross Site Scripting (XSS) vulnerability in history command, qute://history page that can result in Via injected JavaScript code, a website can steal the user's browsing history. This attack appear to be exploitable via the victim must open a page with a specially crafted attribute, and then open the qute://history site via the :history command. This vulnerability appears to have been fixed in fixed in v1.3.3 (4c9360237f186681b1e3f2a0f30c45161cf405c7, to be released today) and v1.4.0 (5a7869f2feaa346853d2a85413d6527c87ef0d9f, released later this week).</p></div> </div> <div class="row"> <div class="col-md-2 fw-bold">Aliases</div> <div class="col"> <ul class="list-group list-group-flush"> <li class="list-group-item"><a href="/vuln/CVE-2018-1000559">CVE-2018-1000559</a></li> <li class="list-group-item"><a href="/vuln/GHSA-m4fw-77v7-924m">GHSA-m4fw-77v7-924m</a></li> </ul> </div> </div> <br /><br /> <div class="btn-group" role="group"> <a role="button" class="btn btn-primary" data-bs-toggle="collapse" data-bs-target="#collapseJsonpysec-2018-26" aria-expanded="false" aria-controls="collapseJsonpysec-2018-26"> JSON <svg class="bi" width="1em" height="1em" fill="currentColor"> <use xlink:href="/bootstrap/static/icons/bootstrap-icons.svg#chevron-down"/> </svg> </a> <div class="btn-group" role="group"> <button id="btnGroupDropShare" type="button" class="btn btn-primary" data-bs-toggle="dropdown" aria-expanded="false"> Share <svg class="bi" width="1em" height="1em" fill="currentColor"> <use xlink:href="/bootstrap/static/icons/bootstrap-icons.svg#chevron-down"/> </svg> </button> <ul class="dropdown-menu" aria-labelledby="btnGroupDropShare"> <li><a class="dropdown-item" href="https://news.ycombinator.com/submitlink?u=https://cve.circl.lu/vuln/pysec-2018-26&t=Vulnerability pysec-2018-26" target="_blank" title="Share on Hacker News">Hacker News</a></li> <li><a class="dropdown-item" href="https://www.linkedin.com/shareArticle?mini=true&url=https://cve.circl.lu/vuln/pysec-2018-26&title=Vulnerability pysec-2018-26" target="_blank" title="Share on LinkedIn">LinkedIn</a></li> <li><a class="dropdown-item" href="https://mastodonshare.com/?text=Vulnerability pysec-2018-26&url=https://cve.circl.lu/vuln/pysec-2018-26" target="_blank" title="Share on Mastodon">Mastodon</a></li> <li><a class="dropdown-item" href="https://www.newspipe.org/bookmark/bookmarklet?href=https://cve.circl.lu/vuln/pysec-2018-26&title=Vulnerability pysec-2018-26" target="_blank" title="Share on Newspipe">Newspipe</a></li> <li><a class="dropdown-item" href="https://api.pinboard.in/v1/posts/add?url=https://cve.circl.lu/vuln/pysec-2018-26&description=Vulnerability pysec-2018-26" target="_blank" title="Share on Pinboard">Pinboard</a></li> <li><a class="dropdown-item" href="https://reddit.com/submit?link=https://cve.circl.lu/vuln/pysec-2018-26&title=Vulnerability pysec-2018-26" target="_blank" title="Share on Reddit">Reddit</a></li> </ul> </div> <a type="button" class="btn btn-primary" title="Copy to clipboard" aria-label="Copy to clipboard" onclick="copyToClipboard('pysec-2018-26')" vuln-id="pysec-2018-26" href="#">To clipboard</a> </div> <div class="collapse" id="collapseJsonpysec-2018-26"> <br /> <div class="card card-body"> <pre class="json-container" id="containerpysec-2018-26">{ "affected": [ { "package": { "ecosystem": "PyPI", "name": "qutebrowser", "purl": "pkg:pypi/qutebrowser" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "5a7869f2feaa346853d2a85413d6527c87ef0d9f" }, { "fixed": "4c9360237f186681b1e3f2a0f30c45161cf405c7" } ], "repo": "https://github.com/qutebrowser/qutebrowser", "type": "GIT" }, { "events": [ { "introduced": "0.11.0" }, { "fixed": "1.3.3" } ], "type": "ECOSYSTEM" } ], "versions": [ "0.11.0", "0.11.1", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "1.0.4", "1.1.0", "1.1.1", "1.1.2", "1.2.0", "1.2.1", "1.3.0", "1.3.1", "1.3.2" ] } ], "aliases": [ "CVE-2018-1000559", "GHSA-m4fw-77v7-924m" ], "details": "qutebrowser version introduced in v0.11.0 (1179ee7a937fb31414d77d9970bac21095358449) contains a Cross Site Scripting (XSS) vulnerability in history command, qute://history page that can result in Via injected JavaScript code, a website can steal the user\u0027s browsing history. This attack appear to be exploitable via the victim must open a page with a specially crafted \u003ctitle\u003e attribute, and then open the qute://history site via the :history command. This vulnerability appears to have been fixed in fixed in v1.3.3 (4c9360237f186681b1e3f2a0f30c45161cf405c7, to be released today) and v1.4.0 (5a7869f2feaa346853d2a85413d6527c87ef0d9f, released later this week).", "id": "PYSEC-2018-26", "modified": "2021-06-10T06:51:59.879286Z", "published": "2018-06-26T16:29:00Z", "references": [ { "type": "REPORT", "url": "https://github.com/qutebrowser/qutebrowser/issues/4011" }, { "type": "FIX", "url": "https://github.com/qutebrowser/qutebrowser/commit/5a7869f2feaa346853d2a85413d6527c87ef0d9f" }, { "type": "FIX", "url": "https://github.com/qutebrowser/qutebrowser/commit/4c9360237f186681b1e3f2a0f30c45161cf405c7" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-m4fw-77v7-924m" } ] }</pre> </div> </div> </div> </div> <br /> <ul class="nav nav-tabs" id="pageTab" role="tablist"> <li class="nav-item"> <button class="nav-link active" id="related-tab" data-bs-toggle="tab" data-bs-target="#related" role="tab" aria-controls="related" aria-selected="true" href="#related">Related vulnerabilities <span class="badge bg-primary rounded-pill">2</span></button> </li> <li class="nav-item"> <button class="nav-link" id="comments-tab" data-bs-toggle="tab" data-bs-target="#comments" role="tab" aria-controls="comments" aria-selected="false" onclick="loadComments()" href="#comments">Comments <span class="badge bg-primary rounded-pill" id="nb-comments">0</span></button> </li> <li class="nav-item"> <button class="nav-link" id="bundles-tab" data-bs-toggle="tab" data-bs-target="#bundles" role="tab" aria-controls="bundles" aria-selected="false" onclick="loadBundles()" href="#bundles">Bundles <span class="badge bg-primary rounded-pill" id="nb-bundles">0</span></button> </li> <li class="nav-item"> <button class="nav-link" id="sightings-tab" data-bs-toggle="tab" data-bs-target="#sightings" role="tab" aria-controls="sightings" aria-selected="false" onclick="loadSightings()" href="#sightings">Sightings <span class="badge bg-primary rounded-pill" id="nb-sightings">0</span></button> </li> </ul> <div class="tab-content" id="pageTabContent"> <div class="tab-pane fade show active" id="related" role="tabpanel" aria-labelledby="related-tab"> <br /> <div class="row"> <div class="col text-end"> <a class="icon-link" href="/recent/all.atom?vulnerability=pysec-2018-26" type="application/atom+xml" title="Atom feed"> <svg class="bi" width="1em" height="1em" fill="currentColor"> <use xlink:href="/bootstrap/static/icons/bootstrap-icons.svg#rss"/> </svg> </a> <a class="icon-link" href="/recent/all.rss?vulnerability=pysec-2018-26" type="application/atom+xml" title="RSS feed"> <svg class="bi" width="1em" height="1em" fill="currentColor"> <use xlink:href="/bootstrap/static/icons/bootstrap-icons.svg#rss-fill"/> </svg> </a> </div> </div> <div class="card"> <div class="card-body"> <h5 class="card-title"><a href="/vuln/cve-2018-1000559">cve-2018-1000559</a></h5> <h6 class="card-subtitle mb-2 text-body-secondary"> Vulnerability from <a href="https://github.com/CVEProject/cvelistV5" rel="noreferrer" target="_blank">cvelistv5</a> </h6> <div class="row"> <div class="col-md-2 fw-bold">Published</div><div class="col">2018-06-26 16:00</div> </div> <div class="row"> <div class="col-md-2 fw-bold">Modified</div><div class="col">2024-08-05 12:40</div> </div> <div class="row"> <div class="col-md-2 fw-bold" data-bs-toggle="tooltip" data-bs-placement="right" title="The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.">Severity <span style="color: green;">?</span></div> <div class="col"> </div> </div> <div class="row" hidden> <div class="col-md-2 fw-bold" data-bs-toggle="tooltip" data-bs-placement="left" title="Exploit Prediction Scoring System (EPSS) from FIRST. The EPSS score is representing the probability of exploitation in the wild in the next 30 days.">EPSS score <span style="color: green;">?</span></div> <div class="col"> <span id="epss-score"></span> <span id="epss-percentile" style="text-decoration:underline dotted" data-bs-toggle="tooltip" data-bs-placement="right" title="The percentile of the current score, the proportion of all scored vulnerabilities with the same or a lower EPSS score."></span> </div> </div> <div class="row"> <div class="col-md-2 fw-bold">Summary</div><div class="col">qutebrowser version introduced in v0.11.0 (1179ee7a937fb31414d77d9970bac21095358449) contains a Cross Site Scripting (XSS) vulnerability in history command, qute://history page that can result in Via injected JavaScript code, a website can steal the user's browsing history. This attack appear to be exploitable via the victim must open a page with a specially crafted <title> attribute, and then open the qute://history site via the :history command. This vulnerability appears to have been fixed in fixed in v1.3.3 (4c9360237f186681b1e3f2a0f30c45161cf405c7, to be released today) and v1.4.0 (5a7869f2feaa346853d2a85413d6527c87ef0d9f, released later this week).</div> </div> <div class="row"> <div class="col-md-2 fw-bold">References</div> <div class="col"> <table class="table table-borderless table-hover"> <thead> <tr data-bs-toggle="collapse" data-bs-target="#collapseReferenceTablecve-2018-1000559" aria-expanded="false" aria-controls="collapseReferenceTablecve-2018-1000559"> <th scope="col" style="width: 20px;"><span class="chevron" >▼</span></th><th scope="col">URL</th><th scope="col">Tags</th> </tr> </thead> <tbody class="collapse" id="collapseReferenceTablecve-2018-1000559"> <tr><td></td><td><a href="https://github.com/qutebrowser/qutebrowser/commit/4c9360237f186681b1e3f2a0f30c45161cf405c7" rel="noreferrer" target="_blank">https://github.com/qutebrowser/qutebrowser/commit/4c9360237f186681b1e3f2a0f30c45161cf405c7</a></td><td>x_refsource_MISC</td></tr> <tr><td></td><td><a href="https://github.com/qutebrowser/qutebrowser/commit/5a7869f2feaa346853d2a85413d6527c87ef0d9f" rel="noreferrer" target="_blank">https://github.com/qutebrowser/qutebrowser/commit/5a7869f2feaa346853d2a85413d6527c87ef0d9f</a></td><td>x_refsource_MISC</td></tr> <tr><td></td><td><a href="https://github.com/qutebrowser/qutebrowser/issues/4011" rel="noreferrer" target="_blank">https://github.com/qutebrowser/qutebrowser/issues/4011</a></td><td>x_refsource_MISC</td></tr> </table> </tbody> </div> </div> <div class="row"> <div class="col-md-2 fw-bold">Impacted products</div> <div class="col"> <table class="table table-borderless table-hover"> <thead> <tr> <th scope="col" style="width: 20px;"></th> <th scope="col">Vendor</th> <th scope="col">Product</th> <th scope="col">Version</th> </tr> </thead> <tbody> <!-- First Row with Toggle for the First Element --> <tr data-bs-toggle="collapse" data-bs-target="#collapseProductTablecve-2018-1000559" aria-expanded="false" aria-controls="collapseProductTablecve-2018-1000559"> <td><span class="chevron">▼</span></td> <td><a href="/search?vendor=n/a">n/a</a></td> <td><a href="/search?vendor=n/a&product=n/a">n/a</a></td> <td> <b>Version:</b> n/a<br /> </td> </tr> <!-- Remaining Rows in the Loop --> <tr class="collapse" id="collapseProductTablecve-2018-1000559"> <td colspan="4"> <table class="table table-borderless"> <tbody> </tbody> </table> </td> </tr> </tbody> </table> </div> </div> <a href="https://nvd.nist.gov/vuln/detail/cve-2018-1000559" class="card-link" rel="noreferrer" target="_blank">Show details on NVD website</a> <br /><br /> <div class="btn-group" role="group"> <a role="button" class="btn btn-primary" data-bs-toggle="collapse" data-bs-target="#collapseJsoncve-2018-1000559" aria-expanded="false" aria-controls="collapseJsoncve-2018-1000559"> JSON <svg class="bi" width="1em" height="1em" fill="currentColor"> <use xlink:href="/bootstrap/static/icons/bootstrap-icons.svg#chevron-down"/> </svg> </a> <div class="btn-group" role="group"> <button id="btnGroupDropShare" type="button" class="btn btn-primary" data-bs-toggle="dropdown" aria-expanded="false"> Share <svg class="bi" width="1em" height="1em" fill="currentColor"> <use xlink:href="/bootstrap/static/icons/bootstrap-icons.svg#chevron-down"/> </svg> </button> <ul class="dropdown-menu" aria-labelledby="btnGroupDropShare"> <li><a class="dropdown-item" href="https://news.ycombinator.com/submitlink?u=https://cve.circl.lu/vuln/cve-2018-1000559&t=Vulnerability cve-2018-1000559" target="_blank" title="Share on Hacker News">Hacker News</a></li> <li><a class="dropdown-item" href="https://www.linkedin.com/shareArticle?mini=true&url=https://cve.circl.lu/vuln/cve-2018-1000559&title=Vulnerability cve-2018-1000559" target="_blank" title="Share on LinkedIn">LinkedIn</a></li> <li><a class="dropdown-item" href="https://mastodonshare.com/?text=Vulnerability cve-2018-1000559&url=https://cve.circl.lu/vuln/cve-2018-1000559" target="_blank" title="Share on Mastodon">Mastodon</a></li> <li><a class="dropdown-item" href="https://www.newspipe.org/bookmark/bookmarklet?href=https://cve.circl.lu/vuln/cve-2018-1000559&title=Vulnerability cve-2018-1000559" target="_blank" title="Share on Newspipe">Newspipe</a></li> <li><a class="dropdown-item" href="https://api.pinboard.in/v1/posts/add?url=https://cve.circl.lu/vuln/cve-2018-1000559&description=Vulnerability cve-2018-1000559" target="_blank" title="Share on Pinboard">Pinboard</a></li> <li><a class="dropdown-item" href="https://reddit.com/submit?link=https://cve.circl.lu/vuln/cve-2018-1000559&title=Vulnerability cve-2018-1000559" target="_blank" title="Share on Reddit">Reddit</a></li> </ul> </div> <a type="button" class="btn btn-primary" title="Copy to clipboard" aria-label="Copy to clipboard" onclick="copyToClipboard('cve-2018-1000559')" vuln-id="cve-2018-1000559" href="#">To clipboard</a> </div> <div class="collapse" id="collapseJsoncve-2018-1000559"> <br /> <div class="card card-body"> <pre class="json-container" id="containercve-2018-1000559">{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T12:40:47.529Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/qutebrowser/qutebrowser/commit/4c9360237f186681b1e3f2a0f30c45161cf405c7" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/qutebrowser/qutebrowser/commit/5a7869f2feaa346853d2a85413d6527c87ef0d9f" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/qutebrowser/qutebrowser/issues/4011" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "dateAssigned": "2018-06-23T00:00:00", "datePublic": "2018-06-26T00:00:00", "descriptions": [ { "lang": "en", "value": "qutebrowser version introduced in v0.11.0 (1179ee7a937fb31414d77d9970bac21095358449) contains a Cross Site Scripting (XSS) vulnerability in history command, qute://history page that can result in Via injected JavaScript code, a website can steal the user\u0027s browsing history. This attack appear to be exploitable via the victim must open a page with a specially crafted \u003ctitle\u003e attribute, and then open the qute://history site via the :history command. This vulnerability appears to have been fixed in fixed in v1.3.3 (4c9360237f186681b1e3f2a0f30c45161cf405c7, to be released today) and v1.4.0 (5a7869f2feaa346853d2a85413d6527c87ef0d9f, released later this week)." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-06-26T15:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/qutebrowser/qutebrowser/commit/4c9360237f186681b1e3f2a0f30c45161cf405c7" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/qutebrowser/qutebrowser/commit/5a7869f2feaa346853d2a85413d6527c87ef0d9f" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/qutebrowser/qutebrowser/issues/4011" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "DATE_ASSIGNED": "2018-06-23T11:22:33.088364", "DATE_REQUESTED": "2018-06-21T21:08:17", "ID": "CVE-2018-1000559", "REQUESTER": "distributedweaknessfiling.org@the-compiler.org", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "qutebrowser version introduced in v0.11.0 (1179ee7a937fb31414d77d9970bac21095358449) contains a Cross Site Scripting (XSS) vulnerability in history command, qute://history page that can result in Via injected JavaScript code, a website can steal the user\u0027s browsing history. This attack appear to be exploitable via the victim must open a page with a specially crafted \u003ctitle\u003e attribute, and then open the qute://history site via the :history command. This vulnerability appears to have been fixed in fixed in v1.3.3 (4c9360237f186681b1e3f2a0f30c45161cf405c7, to be released today) and v1.4.0 (5a7869f2feaa346853d2a85413d6527c87ef0d9f, released later this week)." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/qutebrowser/qutebrowser/commit/4c9360237f186681b1e3f2a0f30c45161cf405c7", "refsource": "MISC", "url": "https://github.com/qutebrowser/qutebrowser/commit/4c9360237f186681b1e3f2a0f30c45161cf405c7" }, { "name": "https://github.com/qutebrowser/qutebrowser/commit/5a7869f2feaa346853d2a85413d6527c87ef0d9f", "refsource": "MISC", "url": "https://github.com/qutebrowser/qutebrowser/commit/5a7869f2feaa346853d2a85413d6527c87ef0d9f" }, { "name": "https://github.com/qutebrowser/qutebrowser/issues/4011", "refsource": "MISC", "url": "https://github.com/qutebrowser/qutebrowser/issues/4011" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-1000559", "datePublished": "2018-06-26T16:00:00", "dateReserved": "2018-06-21T00:00:00", "dateUpdated": "2024-08-05T12:40:47.529Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }</pre> </div> </div> </div> </div> <br /> <div class="card"> <div class="card-body"> <h5 class="card-title"><a href="/vuln/ghsa-m4fw-77v7-924m">ghsa-m4fw-77v7-924m</a></h5> <h6 class="card-subtitle mb-2 text-body-secondary"> Vulnerability from <a href="https://github.com/advisories" rel="noreferrer" target="_blank">github</a> </h6> <div class="row"> <div class="col-md-2 fw-bold">Published</div><div class="col">2018-09-13 15:47</div> </div> <div class="row"> <div class="col-md-2 fw-bold">Modified</div><div class="col">2024-10-25 21:36</div> </div> <div class="row"> <div class="col-md-2 fw-bold" data-bs-toggle="tooltip" data-bs-placement="right" title="The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.">Severity <span style="color: green;">?</span></div> <div class="col"> <span class="bg-warning rounded px-1 text-dark">6.1 (Medium)</span> - <a href="https://www.first.org/cvss/calculator/3.1#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" rel="noreferrer" target="_blank">CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N</a><br /> <span class="bg-warning rounded px-1 text-dark">5.3 (Medium)</span> - <a href="https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" rel="noreferrer" target="_blank">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N</a><br /> </div> </div> <div class="row"> <div class="col-md-2 fw-bold">Summary</div><div class="col">Qutebrowser XSS Vulnerability</div> </div> <div class="row"> <div class="col-md-2 fw-bold">Details</div><div class="col"><p>qutebrowser version introduced in v0.11.0 (<a href="https://github.com/qutebrowser/qutebrowser/commit/5a7869f2feaa346853d2a85413d6527c87ef0d9f">1179ee7a937fb31414d77d9970bac21095358449</a>) contains a Cross Site Scripting (XSS) vulnerability in history command, <code>qute://history</code> page that can result in Via injected JavaScript code, a website can steal the user's browsing history. This attack appear to be exploitable via the victim must open a page with a specially crafted <code><title></code> attribute, and then open the <code>qute://history</code> site via the <code>:history</code> command. This vulnerability appears to have been fixed in fixed in v1.3.3 (<a href="https://github.com/qutebrowser/qutebrowser/commit/4c9360237f186681b1e3f2a0f30c45161cf405c7">4c9360237f186681b1e3f2a0f30c45161cf405c7</a>, to be released today) and v1.4.0 (<a href="https://github.com/qutebrowser/qutebrowser/commit/5a7869f2feaa346853d2a85413d6527c87ef0d9f">5a7869f2feaa346853d2a85413d6527c87ef0d9f</a>, released later this week).</p></div> </div> <a href="https://github.com/advisories/ghsa-m4fw-77v7-924m" class="card-link" rel="noreferrer" target="_blank">Show details on source website</a> <br /><br /> <div class="btn-group" role="group"> <a role="button" class="btn btn-primary" data-bs-toggle="collapse" data-bs-target="#collapseJsonghsa-m4fw-77v7-924m" aria-expanded="false" aria-controls="collapseJsonghsa-m4fw-77v7-924m"> JSON <svg class="bi" width="1em" height="1em" fill="currentColor"> <use xlink:href="/bootstrap/static/icons/bootstrap-icons.svg#chevron-down"/> </svg> </a> <div class="btn-group" role="group"> <button id="btnGroupDropShare" type="button" class="btn btn-primary" data-bs-toggle="dropdown" aria-expanded="false"> Share <svg class="bi" width="1em" height="1em" fill="currentColor"> <use xlink:href="/bootstrap/static/icons/bootstrap-icons.svg#chevron-down"/> </svg> </button> <ul class="dropdown-menu" aria-labelledby="btnGroupDropShare"> <li><a class="dropdown-item" href="https://news.ycombinator.com/submitlink?u=https://cve.circl.lu/vuln/ghsa-m4fw-77v7-924m&t=Vulnerability ghsa-m4fw-77v7-924m" target="_blank" title="Share on Hacker News">Hacker News</a></li> <li><a class="dropdown-item" href="https://www.linkedin.com/shareArticle?mini=true&url=https://cve.circl.lu/vuln/ghsa-m4fw-77v7-924m&title=Vulnerability ghsa-m4fw-77v7-924m" target="_blank" title="Share on LinkedIn">LinkedIn</a></li> <li><a class="dropdown-item" href="https://mastodonshare.com/?text=Vulnerability ghsa-m4fw-77v7-924m&url=https://cve.circl.lu/vuln/ghsa-m4fw-77v7-924m" target="_blank" title="Share on Mastodon">Mastodon</a></li> <li><a class="dropdown-item" href="https://www.newspipe.org/bookmark/bookmarklet?href=https://cve.circl.lu/vuln/ghsa-m4fw-77v7-924m&title=Vulnerability ghsa-m4fw-77v7-924m" target="_blank" title="Share on Newspipe">Newspipe</a></li> <li><a class="dropdown-item" href="https://api.pinboard.in/v1/posts/add?url=https://cve.circl.lu/vuln/ghsa-m4fw-77v7-924m&description=Vulnerability ghsa-m4fw-77v7-924m" target="_blank" title="Share on Pinboard">Pinboard</a></li> <li><a class="dropdown-item" href="https://reddit.com/submit?link=https://cve.circl.lu/vuln/ghsa-m4fw-77v7-924m&title=Vulnerability ghsa-m4fw-77v7-924m" target="_blank" title="Share on Reddit">Reddit</a></li> </ul> </div> <a type="button" class="btn btn-primary" title="Copy to clipboard" aria-label="Copy to clipboard" onclick="copyToClipboard('ghsa-m4fw-77v7-924m')" vuln-id="ghsa-m4fw-77v7-924m" href="#">To clipboard</a> </div> <div class="collapse" id="collapseJsonghsa-m4fw-77v7-924m"> <br /> <div class="card card-body"> <pre class="json-container" id="containerghsa-m4fw-77v7-924m">{ "affected": [ { "package": { "ecosystem": "PyPI", "name": "qutebrowser" }, "ranges": [ { "events": [ { "introduced": "0.11.0" }, { "fixed": "1.3.3" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2018-1000559" ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:44:51Z", "nvd_published_at": null, "severity": "MODERATE" }, "details": "qutebrowser version introduced in v0.11.0 ([1179ee7a937fb31414d77d9970bac21095358449](https://github.com/qutebrowser/qutebrowser/commit/5a7869f2feaa346853d2a85413d6527c87ef0d9f)) contains a Cross Site Scripting (XSS) vulnerability in history command, `qute://history` page that can result in Via injected JavaScript code, a website can steal the user\u0027s browsing history. This attack appear to be exploitable via the victim must open a page with a specially crafted `\u003ctitle\u003e` attribute, and then open the `qute://history` site via the `:history` command. This vulnerability appears to have been fixed in fixed in v1.3.3 ([4c9360237f186681b1e3f2a0f30c45161cf405c7](https://github.com/qutebrowser/qutebrowser/commit/4c9360237f186681b1e3f2a0f30c45161cf405c7), to be released today) and v1.4.0 ([5a7869f2feaa346853d2a85413d6527c87ef0d9f](https://github.com/qutebrowser/qutebrowser/commit/5a7869f2feaa346853d2a85413d6527c87ef0d9f), released later this week).", "id": "GHSA-m4fw-77v7-924m", "modified": "2024-10-25T21:36:47Z", "published": "2018-09-13T15:47:57Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000559" }, { "type": "WEB", "url": "https://github.com/qutebrowser/qutebrowser/issues/4011" }, { "type": "WEB", "url": "https://github.com/qutebrowser/qutebrowser/commit/4c9360237f186681b1e3f2a0f30c45161cf405c7" }, { "type": "WEB", "url": "https://github.com/qutebrowser/qutebrowser/commit/5a7869f2feaa346853d2a85413d6527c87ef0d9f" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-m4fw-77v7-924m" }, { "type": "WEB", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/qutebrowser/PYSEC-2018-26.yaml" }, { "type": "PACKAGE", "url": "https://github.com/qutebrowser/qutebrowser" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "type": "CVSS_V3" }, { "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "type": "CVSS_V4" } ], "summary": "Qutebrowser XSS Vulnerability" }</pre> </div> </div> </div> </div> <br /> </div> <div class="tab-pane fade show" id="comments" role="tabpanel" aria-labelledby="comments-tab"> <br /> <div class="row"> <div class="col"> <p><a href="/user/login">Log in</a> or <a href="/user/signup">create an account</a> to share your comment.</p> </div> <div class="col text-end"> <a class="icon-link" href="/comments/feed.atom?vulnerability=pysec-2018-26" type="application/atom+xml" title="Atom feed"> <svg class="bi" width="1em" height="1em" fill="currentColor"> <use xlink:href="/bootstrap/static/icons/bootstrap-icons.svg#rss"/> </svg> </a> <a class="icon-link" href="/comments/feed.rss?vulnerability=pysec-2018-26" type="application/atom+xml" title="RSS feed"> <svg class="bi" width="1em" height="1em" fill="currentColor"> <use xlink:href="/bootstrap/static/icons/bootstrap-icons.svg#rss-fill"/> </svg> </a> </div> </div> <div class="collapse" id="newCommentpysec-2018-26"> <div class="row"> <div class="col-md-9"> <div id="editor"></div> </div> <div class="col"> <br /><br /><br /> <div class="card card-body my-3"> <h5>Tags</h5> <select class="form-multi-select" id="select-tags" size="9" multiple> <optgroup label="Exploitability" exclusive="true"> <option value="vulnerability:exploitability=industrialised">Industrialised</option> <option value="vulnerability:exploitability=customised">Customised</option> <option value="vulnerability:exploitability=documented">Documented</option> <option value="vulnerability:exploitability=theoretical">Theoretical</option> </optgroup> <optgroup label="Information" exclusive="false"> <option value="vulnerability:information=PoC">Proof-of-Concept</option> <option value="vulnerability:information=remediation">Remediation</option> <option value="vulnerability:information=annotation">Annotation</option> </optgroup> </select> <a href="https://www.misp-project.org/taxonomies.html#_vulnerability_3" rel="noreferrer" target="_blank">Taxonomy of the tags.</a> </div> <button class='btn btn-primary' id='savecomment' title="Save the comment">Save the comment</button> </div> </div> </div> <br /><br /> <div id="list-comments"> <div class="d-flex justify-content-center"> <div class="spinner-border" role="status"><span class="sr-only">Loading…</span></div> </div> </div> </div> <div class="tab-pane fade show" id="bundles" role="tabpanel" aria-labelledby="bundles-tab"> <br /> <div id="list-bundles"> <div class="d-flex justify-content-center"> <div class="spinner-border" role="status"><span class="sr-only">Loading…</span></div> </div> </div> </div> <div class="tab-pane fade show" id="sightings" role="tabpanel" aria-labelledby="sightings-tab"> <br /> <div class="row pb-3" id="sightings-pane-top"> <div class="col"> <a class="btn btn-primary" href="/sightings/?query=pysec-2018-26">All sightings related to this event</a> <a class="btn btn-primary" href="/sightings/misp_export?vulnerability=pysec-2018-26">Export sightings related to this event</a> </div> </div> <div id="chart-sightings"> <div class="d-flex justify-content-center"> <div class="spinner-border" role="status"><span class="sr-only">Loading…</span></div> </div> </div> <div id="sightingsChartContainer" class="chart-container pt-3"> <canvas id="sightingsChart" height="400"></canvas> </div> <div class="row"> <h3>Sightings</h3> <div class="table-responsive"> <table class="table"> <thead> <tr> <th scope="col">Author</th> <th scope="col">Source</th> <th scope="col">Type</th> <th scope="col">Date</th> </tr> </thead> <tbody id="sighting-table-body"></tbody> </table> </div> </div> <div id="chart-detailed-legend" class="row"> <h3>Nomenclature</h3> <div class="col-md-8"> <ul class="list-group list-group-flush"> <li class="list-group-item"><b>Seen</b>: The vulnerability was mentioned, discussed, or seen somewhere by the user.</li> <li class="list-group-item"><b>Confirmed</b>: The vulnerability is confirmed from an analyst perspective.</li> <li class="list-group-item"><b>Exploited</b>: This vulnerability was exploited and seen by the user reporting the sighting.</li> <li class="list-group-item"><b>Patched</b>: This vulnerability was successfully patched by the user reporting the sighting.</li> <li class="list-group-item"><b>Not exploited</b>: This vulnerability was not exploited or seen by the user reporting the sighting.</li> <li class="list-group-item"><b>Not confirmed</b>: The user expresses doubt about the veracity of the vulnerability.</li> <li class="list-group-item"><b>Not patched</b>: This vulnerability was not successfully patched by the user reporting the sighting.</li> </ul> </div> </div> </div> </div> <script> let easyMDE = null; let SCHEMA = null; let COMMENTS = {}; function openTabById(tabId) { const tabButton = document.querySelector(`button[data-bs-target="${tabId}"]`); if (tabButton) { const tab = new bootstrap.Tab(tabButton); tab.show(); } else { console.error(`Tab with ID ${tabId} not found.`); } } function getSelectValues(select) { var tags = []; var options = select && select.options; var opt; for (var i=0, iLen=options.length; i<iLen; i++) { opt = options[i]; if (opt.selected) { if (opt.parentNode.getAttribute("exclusive") == "true") { options1 = document.getElementById("select-tags").options; for (var j=0, jLen=options1.length; j<jLen; j++) { opt1 = options1[j]; if (opt1.parentNode.getAttribute("exclusive") == "true") { opt1.selected = false; } } opt.selected = true; } tags.push(opt.value || opt.text); } } var json = jsoneditor.getValue(); if (!("meta" in json)) { json["meta"] = [{"tags": tags}]; } else { json["meta"].forEach(function(value, index, array) { if ("tags" in value) { obj = {"tags": tags} json["meta"] = []; json["meta"] = [obj]; } }) } jsoneditor.setValue(json); } document.getElementById("select-tags").onclick= function (e) { getSelectValues(document.getElementById("select-tags")); }; function formatNumberWithPrecision(value, precision) { const formattedValue = parseFloat(value.toFixed(precision)); return formattedValue; } function RoundNumber(value) { return Math.round(value); } document.addEventListener("DOMContentLoaded", function() { // Enable tootips var tooltipTriggerList = [].slice.call(document.querySelectorAll('[data-bs-toggle="tooltip"]')) var tooltipList = tooltipTriggerList.map(function (tooltipTriggerEl) { return new bootstrap.Tooltip(tooltipTriggerEl) }) // Pretty print of JSON data in JSON containers var jsonContainers = document.querySelectorAll(".json-container"); Array.prototype.forEach.call(jsonContainers, function(jsonContainer) { jsonContainer.innerHTML = prettyPrintJson.toHtml(JSON.parse(jsonContainer.innerText)); }); // Open the tab specified with an anchor in the URL. const hash = window.location.hash; const tabButton = document.querySelector(`button[data-bs-target="${hash}"]`); if (tabButton) { const tab = new bootstrap.Tab(tabButton); tab.show(); selected_tab = tabButton.getAttribute("id"); switch (selected_tab) { case "comments-tab": loadComments(); break; case "bundles-tab": loadBundles(); break; case "sightings-tab": loadSightings(); break; default: openTabById("#related"); break; } } else { openTabById("#related"); } // Update the URL when a tab is clicked, for consistent behavior document.querySelectorAll('.nav-link[data-bs-toggle="tab"]').forEach(tabLink => { tabLink.addEventListener("shown.bs.tab", function(event) { history.replaceState(null, null, event.target.getAttribute("href")); }); }); // Retrieve the JSON schema for the comment and initialize the editor. fetch("/static/schemas/CIRCL/Security_Advisory_Comment.json") .then(response => response.json()) .then(result => { // initialize the JSON editor SCHEMA = result; initialize_editor(SCHEMA, {}); }).catch((error) => { console.error('Error:', error); }); // Retrieve the EPSS score epss_score_elem = document.getElementById("epss-score"); if (epss_score_elem) { fetch("/api/epss/pysec-2018-26") .then(response => response.json()) .then(result => { if (result.total >= 1) { document.getElementById("epss-score").parentNode.parentNode.removeAttribute("hidden"); document.getElementById("epss-score").innerText = (result.data[0].epss * 100).toFixed(2) + "%"; document.getElementById("epss-percentile").innerText = "(" + formatNumberWithPrecision(Number(result.data[0].percentile), 5) + ")"; } else { document.getElementById("epss-score").parentNode.parentNode.remove(); } }).catch((error) => { console.error('Error:', error); document.getElementById("epss-score").parentNode.parentNode.remove(); }); } }) // End DOMContentLoaded listener if (document.getElementById("deleteVulnerability")) { document.getElementById("deleteVulnerability").onclick = function(event) { if (!confirm('You are going to delete the vulnerability. Are you sure?')) { return; } var csrf_token = "ImMyZDM1ZDkyM2M5ZDBjYzhiYzQyYTI3NjNjZWQ4ZjU0MmZmNjE3YzQi.Z3frkA.ZKZjlYeakiWpG2POcvuMfDkhwC4"; fetch("/api/vulnerability/pysec-2018-26", { method: "DELETE", headers: { 'Content-Type': 'application/json', 'X-CSRFToken': csrf_token } }) .then(response => { if (!response.ok) { console.log(response); } else { window.location="/recent"; } }) .catch((error) => { console.log(error); }); }; } function addSighting(originalEvent, source) { const clickedItem = originalEvent.target; var csrf_token = "ImMyZDM1ZDkyM2M5ZDBjYzhiYzQyYTI3NjNjZWQ4ZjU0MmZmNjE3YzQi.Z3frkA.ZKZjlYeakiWpG2POcvuMfDkhwC4"; var json = {}; json["type"] = clickedItem.getAttribute("value"); json["vulnerability"] = "pysec-2018-26"; json["source"] = source; data = JSON.stringify(json); fetch("/api/sighting/", { method: "POST", headers: { 'Content-Type': 'application/json', 'X-CSRFToken': csrf_token }, body: data }) .then(res => { if (!res.ok) { res.json().then(json => { document.getElementById("modal-error-text").innerText = "Problem when saving sighting."; var modal = new bootstrap.Modal(document.getElementById('modalError'), {}); modal.show(); }); } else { loadSightings(); showToast("Success", "Sighting added successfully!"); openTabById("#sightings"); } }) .catch((error) => { console.log(error); }); }; // Function to display the modal function showModal(title, message, confirmCallback, event) { // Get modal elements const modal = new bootstrap.Modal(document.getElementById('sightingModal')); const modalTitle = document.getElementById('sightingModalLabel'); const modalMessage = document.getElementById('modalMessage'); const confirmButton = document.getElementById('sightingModalConfirm'); const sourceInput = document.getElementById('sourceInput'); // Set modal title and body message modalTitle.textContent = title; modalMessage.textContent = message; // Clear previous input value sourceInput.value = ''; // Remove any previous click event to avoid duplication confirmButton.replaceWith(confirmButton.cloneNode(true)); // Attach new event listener for confirmation button document.getElementById('sightingModalConfirm').addEventListener('click', () => { const source = sourceInput.value.trim(); confirmCallback(event, source); // Pass the source to the callback modal.hide(); }); // Show the modal modal.show(); } // Attach click event listener to sightings list const sightings_list = document.getElementById('sighting-list'); if (sightings_list) { sightings_list.addEventListener('click', function (event) { showModal( 'New Sighting', 'Are you sure you want to add this sighting?', addSighting, event ); }); } document.getElementById("savecomment").addEventListener("click", function(event) { var csrf_token = "ImMyZDM1ZDkyM2M5ZDBjYzhiYzQyYTI3NjNjZWQ4ZjU0MmZmNjE3YzQi.Z3frkA.ZKZjlYeakiWpG2POcvuMfDkhwC4"; var json = jsoneditor.getValue(); json["description"] = easyMDE.value(); json["vulnerability"] = "pysec-2018-26"; data = JSON.stringify(json); fetch("/api/comment/", { method: "POST", headers: { 'Content-Type': 'application/json', 'X-CSRFToken': csrf_token }, body: data }) .then(res => { if (!res.ok) { res.json().then(json => { document.getElementById("modal-error-text").innerText = json['message']; var modal = new bootstrap.Modal(document.getElementById('modalError'), {}); modal.show(); }); } else { // reinitializes the form window.jsoneditor.setValue({}); easyMDE.value(""); // collapse the view which is containing the form new bootstrap.Collapse(document.getElementById("newCommentpysec-2018-26")); // load the updated list of comments loadComments(); showToast("Success", "Comment added successfully!"); } }) .catch((error) => { console.log(error); }); }); function copyToClipboard(vuln_id) { const copyText = document.getElementById("container"+vuln_id).textContent; const textArea = document.createElement('textarea'); textArea.textContent = copyText; navigator.clipboard.writeText(textArea.value).then(function() { /* clipboard successfully set */ showToast("Success", "Content copied to your clipboard."); }, function() { /* clipboard write failed */ }); } function loadComments() { COMMENTS = {}; var DateTime = luxon.DateTime; var converter = new showdown.Converter({tables: true, moreStyling: true}); var commentTemplate = _.template( '<div class="card markdown-description">' + '<div class="card-body">' + '<h5 class="card-title"><a href="/comment/<%= uuid %>"><%= title %></a></h5>' + '<p class="card-title">' + '<% _.forEach(tags, function(tag) ' + '{ %><span class="badge bg-primary"><a class="link-light" href="/comments/?meta=%5B%7B%22tags%22%3A%20%5B%22<%= tag %>%22%5D%7D%5D"><%= tag %></a></span> <% }); %>' + '</p>' + '<h6 class="card-subtitle mb-2 text-body-secondary"><%= timestamp %> by <a href="/user/<%= author_login %>"><%= author_name %></a></h6>' + '<p class="card-text"><%= description %></p>' + '<div class="btn-group" role="group">' + '<a role="button" class="btn btn-primary" data-bs-toggle="collapse" data-bs-target="#collapseJsonComment<%= uuid %>" aria-expanded="false" aria-controls="collapseJsonComment<%= uuid %>">JSON</a>' + '</div>' + '<div class="collapse" id="collapseJsonComment<%= uuid %>"><br /><pre class="json-container"><%= comment %></pre></div>' + '</div></div>' ); fetch("/api/comment/?vuln_id=pysec-2018-26") .then(response => response.json()) .then(result => { document.getElementById("list-comments").innerHTML = ""; document.getElementById("nb-comments").innerText = result.metadata.count; if (result.metadata.count == 0) { document.getElementById("list-comments").innerHTML = "<p>No comment for this vulnerability. Browse <a href='/comments'>all the comments</a>.</p>"; } result.data .sort(function (a, b) { return new Date(b.timestamp) - new Date(a.timestamp); }) .map(function (comment) { var author = comment.author delete comment.author; if (Array.isArray(comment["meta"]) && comment["meta"].length > 0) { var itemWithTags = comment.meta.find(item => item.tags); var tags = itemWithTags ? itemWithTags.tags : []; } else { var tags = []; } var cardHTML = commentTemplate({ 'comment': JSON.stringify(comment, null, 2), 'uuid': comment.uuid, 'title': comment.title, 'description': converter.makeHtml(comment.description), 'timestamp': DateTime.fromISO(comment.timestamp).toRelative(), 'author_name': author.name, 'author_login': author.login, 'tags': tags }); COMMENTS[comment.uuid] = comment; var element = document.createElement("div"); var element_br = document.createElement("br"); element.innerHTML = cardHTML; document.getElementById("list-comments").appendChild(element.firstChild); document.getElementById("list-comments").append(element_br); }) }) .then(_ => { setTimeout(() => { formatMarkdownOutput(); if (easyMDE === null) { easyMDE = new EasyMDE({ element: document.getElementById('root[description]'), autoRefresh: { delay: 300 }, toolbarButtonClassPrefix: "mde", toolbar: [ "bold", "italic", "heading", "|", "quote", "code", "table", "unordered-list", "ordered-list", "|", "link", "image", "|", "preview", "side-by-side", "fullscreen", "|" ] }); } }, 0); // 0ms delay still allows the browser to update the DOM return COMMENTS; }) .catch((error) => { console.error('Error:', error); }); } function initialize_editor(schema, json_object) { // Default starting schema if(!schema) { schema = {} } // Divs/textareas on the page var $schema = schema; var $output = document.getElementById('output'); var $editor = document.getElementById('editor'); // Default theme JSONEditor.defaults.options.theme = 'bootstrap5'; window.startval = json_object; var jsoneditor; var reload = function(keep_value) { var startval = (jsoneditor && keep_value)? jsoneditor.getValue() : window.startval; window.startval = undefined; if (jsoneditor) { jsoneditor.destroy(); } jsoneditor = new JSONEditor($editor, { // The schema for the editor schema: schema, // Remove collapse button disable_collapse: true, // Seed the form with a starting value startval: startval, // Enable fetching schemas via ajax ajax: true, // Disable additional properties no_additional_properties: false, // Require all properties by default required_by_default: true, show_opt_in: false, disable_edit_json: true, theme: "bootstrap5", object_background: document.documentElement.getAttribute("data-bs-theme") == "dark" ? "bg-dark" : "bg-light", }); window.jsoneditor = jsoneditor; // When the value of the editor changes, update the JSON output and validation message jsoneditor.on('change',function() { var json = jsoneditor.getValue(); }); }; // Start the schema and output textareas with initial values $schema.value = JSON.stringify(schema, null, 2); reload(); }; function loadBundles() { var DateTime = luxon.DateTime; var converter = new showdown.Converter({tables: true, moreStyling: true}); var bundleTemplate = _.template( '<div class="card markdown-description">' + '<div class="card-body">' + '<h5 class="card-title"><a href="/bundle/<%= uuid %>"><%= name %></a></h5>' + '<h6 class="card-subtitle mb-2 text-body-secondary"><%= timestamp %> by <a href="/user/<%= author_login %>"><%= author_name %></a></h6>' + '<p class="card-text"><%= description %></p>' + '<h5 class="card-text">Related vulnerabilities</h5>' + '<div class="card" >' + '<ul class="list-group list-group-flush">' + '<% _.forEach(related_vulnerabilities, function(vuln) ' + '{ %><li class="list-group-item"><a href="/vuln/<%= vuln %>"><%- vuln %></a></li><% }); %>' + '</ul>' + '</div>' + '</div>'); fetch("/api/bundle/?vuln_id=pysec-2018-26") .then(response => response.json()) .then(result => { document.getElementById("list-bundles").innerHTML = "<p>Bundles referring to this vulnerability.</p>"; if (result.metadata.count == 0) { document.getElementById("list-bundles").innerHTML = "<p>This vulnerability is not linked to any bundle.</p>"; } result.data .sort(function (a, b) { return new Date(b.updated_at) - new Date(a.updated_at); }) .map(function (bundle) { var author = bundle.author delete bundle.author; var cardHTML = bundleTemplate({ 'uuid': bundle.uuid, 'name': bundle.name, 'description': converter.makeHtml(bundle.description), 'timestamp': DateTime.fromISO(bundle.timestamp).toRelative(), 'related_vulnerabilities': bundle.related_vulnerabilities.map(v => v.toLowerCase()), 'author_name': author.name, 'author_login': author.login }); var element = document.createElement("div"); var element_br = document.createElement("br"); element.innerHTML = cardHTML; document.getElementById("list-bundles").appendChild(element.firstChild); document.getElementById("list-bundles").append(element_br); }) }) .then(_ => { setTimeout(() => { formatMarkdownOutput(); }, 0); // 0ms delay still allows the browser to update the DOM }) .catch((error) => { console.error('Error:', error); }); }; function loadSightings() { fetch("/api/sighting/?vuln_id=pysec-2018-26&date_from=1970-01-01") .then(response => response.json()) .then(result => { document.getElementById("nb-sightings").innerText = result.metadata.count; if (result.metadata.count == 0) { document.getElementById("sightings-pane-top").style.display = 'none'; document.getElementById("chart-sightings").innerHTML = "<p>No sightings for this vulnerability.</p>"; document.getElementById("sightingsChartContainer").style.display = 'none'; document.getElementById("chart-detailed-legend").style.display = 'none'; } else{ drawBarChart(result.data); document.getElementById("sightings-pane-top").style.display = 'block'; document.getElementById("chart-sightings").innerHTML = "<h3>Evolution of sightings over time</h3>"; document.getElementById("sightingsChartContainer").style.display = 'block'; document.getElementById("chart-detailed-legend").style.display = 'block'; // clear the table const tableBody = document.getElementById("sighting-table-body"); while (tableBody.firstChild) { tableBody.removeChild(tableBody.firstChild); } result.data .sort(function (a, b) { return new Date(b.creation_timestamp) - new Date(a.creation_timestamp); }) .map(function (sighting) { const row = document.createElement('tr'); // Create a table row // Create and append the Author cell const authorCell = document.createElement('td'); // authorCell.textContent = sighting.author.login; authorCell.innerHTML = '<a href="/user/'+sighting.author.login+'">'+sighting.author.login+'</a>'; row.appendChild(authorCell); // Create and append the Source cell const sourceCell = document.createElement('td'); if (isValidURL(sighting.source)) { sourceCell.innerHTML = '<a href="'+sighting.source+'" rel="noreferrer" target="_blank">'+sighting.source+'</a>'; } else { sourceCell.textContent = sighting.source; } row.appendChild(sourceCell); // Create and append the Type cell const typeCell = document.createElement('td'); typeCell.textContent = sighting.type; row.appendChild(typeCell); // Create and append the Date cell const dateCell = document.createElement('td'); dateCell.classList.add('datetime'); dateCell.textContent = sighting.creation_timestamp; dateCell.title = sighting.creation_timestamp; row.appendChild(dateCell); document.getElementById("sighting-table-body").appendChild(row); }) var DateTime = luxon.DateTime; elements = document.getElementsByClassName("datetime"); Array.prototype.forEach.call(elements, function(element) { element.textContent = DateTime.fromISO(element.textContent).toRelative() }); } }) .catch((error) => { console.error('Error:', error); }); }; document.getElementById("btnThemeSwitch").addEventListener("click",()=>{ if (document.documentElement.getAttribute("data-bs-theme") == "dark") { Array.from(document.getElementsByClassName("card")).forEach(container => { container.classList.remove("bg-dark"); container.classList.add("bg-light"); }); } else { Array.from(document.getElementsByClassName("card")).forEach(container => { container.classList.remove("bg-light"); container.classList.add("bg-dark"); }); } }) </script> </div> </main> <footer class="footer bg-light"> <div class="container"> <div class="row"> <div class="col d-none d-md-block"> <div class="d-flex justify-content-start"> <span class="text-muted"><a href="https://www.circl.lu" rel="noreferrer" target="_blank">Computer Incident Response Center Luxembourg (CIRCL)</a></span> </div> </div> <div class="col"> <div class="d-flex justify-content-end"> <a class="text-end d-none d-md-block" href="https://vulnerability.circl.lu/dumps/">Dumps</a>   <a class="text-end" href="/users/">Contributors</a>   <a class="text-end" href="/documentation/">Documentation</a>   <a class="text-end" href="/api/">API</a>   <a class="text-end" href="/about">About</a>   <a class="text-end" href="https://github.com/cve-search/vulnerability-lookup" title="Source code of Vulnerability-Lookup" target="_blank"> <svg class="bi" width="1em" height="1em" fill="currentColor"> <use xlink:href="/bootstrap/static/icons/bootstrap-icons.svg#github"/> </svg> </a> </div> </div> </div> </div> </footer> <!-- Optional JavaScript --> <script src="/bootstrap/static/umd/popper.min.js"></script> <script src="/bootstrap/static/js/bootstrap.min.js"></script> <script> if (getCookie("theme") == 'light') { document.getElementById('btnThemeSwitch').innerHTML = '<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-moon-stars-fill" viewBox="0 0 16 16"><path d="M6 .278a.77.77 0 0 1 .08.858 7.2 7.2 0 0 0-.878 3.46c0 4.021 3.278 7.277 7.318 7.277q.792-.001 1.533-.16a.79.79 0 0 1 .81.316.73.73 0 0 1-.031.893A8.35 8.35 0 0 1 8.344 16C3.734 16 0 12.286 0 7.71 0 4.266 2.114 1.312 5.124.06A.75.75 0 0 1 6 .278"/><path d="M10.794 3.148a.217.217 0 0 1 .412 0l.387 1.162c.173.518.579.924 1.097 1.097l1.162.387a.217.217 0 0 1 0 .412l-1.162.387a1.73 1.73 0 0 0-1.097 1.097l-.387 1.162a.217.217 0 0 1-.412 0l-.387-1.162A1.73 1.73 0 0 0 9.31 6.593l-1.162-.387a.217.217 0 0 1 0-.412l1.162-.387a1.73 1.73 0 0 0 1.097-1.097zM13.863.099a.145.145 0 0 1 .274 0l.258.774c.115.346.386.617.732.732l.774.258a.145.145 0 0 1 0 .274l-.774.258a1.16 1.16 0 0 0-.732.732l-.258.774a.145.145 0 0 1-.274 0l-.258-.774a1.16 1.16 0 0 0-.732-.732l-.774-.258a.145.145 0 0 1 0-.274l.774-.258c.346-.115.617-.386.732-.732z"/></svg>'; document.getElementById('vulnerability-lookup-logo').src = '/static/img/VL-hori-coul.png'; document.getElementById('btnThemeSwitch').setAttribute('title', 'Switch to dark theme'); } else { document.getElementById('btnThemeSwitch').innerHTML = '<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-sun-fill" viewBox="0 0 16 16"><path d="M8 12a4 4 0 1 0 0-8 4 4 0 0 0 0 8M8 0a.5.5 0 0 1 .5.5v2a.5.5 0 0 1-1 0v-2A.5.5 0 0 1 8 0m0 13a.5.5 0 0 1 .5.5v2a.5.5 0 0 1-1 0v-2A.5.5 0 0 1 8 13m8-5a.5.5 0 0 1-.5.5h-2a.5.5 0 0 1 0-1h2a.5.5 0 0 1 .5.5M3 8a.5.5 0 0 1-.5.5h-2a.5.5 0 0 1 0-1h2A.5.5 0 0 1 3 8m10.657-5.657a.5.5 0 0 1 0 .707l-1.414 1.415a.5.5 0 1 1-.707-.708l1.414-1.414a.5.5 0 0 1 .707 0m-9.193 9.193a.5.5 0 0 1 0 .707L3.05 13.657a.5.5 0 0 1-.707-.707l1.414-1.414a.5.5 0 0 1 .707 0m9.193 2.121a.5.5 0 0 1-.707 0l-1.414-1.414a.5.5 0 0 1 .707-.707l1.414 1.414a.5.5 0 0 1 0 .707M4.464 4.465a.5.5 0 0 1-.707 0L2.343 3.05a.5.5 0 1 1 .707-.707l1.414 1.414a.5.5 0 0 1 0 .708"/></svg>'; document.getElementById('vulnerability-lookup-logo').src = '/static/img/VL-hori-white-coul.png'; document.getElementById('btnThemeSwitch').setAttribute('title', 'Switch to light theme'); } document.addEventListener("DOMContentLoaded", function() { document.getElementById('btnThemeSwitch').addEventListener('click',()=>{ if (document.documentElement.getAttribute('data-bs-theme') == 'dark') { document.documentElement.setAttribute('data-bs-theme','light') document.getElementById('btnThemeSwitch').innerHTML = '<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-moon-stars-fill" viewBox="0 0 16 16"><path d="M6 .278a.77.77 0 0 1 .08.858 7.2 7.2 0 0 0-.878 3.46c0 4.021 3.278 7.277 7.318 7.277q.792-.001 1.533-.16a.79.79 0 0 1 .81.316.73.73 0 0 1-.031.893A8.35 8.35 0 0 1 8.344 16C3.734 16 0 12.286 0 7.71 0 4.266 2.114 1.312 5.124.06A.75.75 0 0 1 6 .278"/><path d="M10.794 3.148a.217.217 0 0 1 .412 0l.387 1.162c.173.518.579.924 1.097 1.097l1.162.387a.217.217 0 0 1 0 .412l-1.162.387a1.73 1.73 0 0 0-1.097 1.097l-.387 1.162a.217.217 0 0 1-.412 0l-.387-1.162A1.73 1.73 0 0 0 9.31 6.593l-1.162-.387a.217.217 0 0 1 0-.412l1.162-.387a1.73 1.73 0 0 0 1.097-1.097zM13.863.099a.145.145 0 0 1 .274 0l.258.774c.115.346.386.617.732.732l.774.258a.145.145 0 0 1 0 .274l-.774.258a1.16 1.16 0 0 0-.732.732l-.258.774a.145.145 0 0 1-.274 0l-.258-.774a1.16 1.16 0 0 0-.732-.732l-.774-.258a.145.145 0 0 1 0-.274l.774-.258c.346-.115.617-.386.732-.732z"/></svg>'; document.getElementById('vulnerability-lookup-logo').src = '/static/img/VL-hori-coul.png'; document.getElementById('btnThemeSwitch').setAttribute('title', 'Switch to dark theme'); document.cookie = "theme=light; path=/; SameSite=Strict"; } else { document.documentElement.setAttribute('data-bs-theme','dark'); document.getElementById('btnThemeSwitch').innerHTML = '<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-sun-fill" viewBox="0 0 16 16"><path d="M8 12a4 4 0 1 0 0-8 4 4 0 0 0 0 8M8 0a.5.5 0 0 1 .5.5v2a.5.5 0 0 1-1 0v-2A.5.5 0 0 1 8 0m0 13a.5.5 0 0 1 .5.5v2a.5.5 0 0 1-1 0v-2A.5.5 0 0 1 8 13m8-5a.5.5 0 0 1-.5.5h-2a.5.5 0 0 1 0-1h2a.5.5 0 0 1 .5.5M3 8a.5.5 0 0 1-.5.5h-2a.5.5 0 0 1 0-1h2A.5.5 0 0 1 3 8m10.657-5.657a.5.5 0 0 1 0 .707l-1.414 1.415a.5.5 0 1 1-.707-.708l1.414-1.414a.5.5 0 0 1 .707 0m-9.193 9.193a.5.5 0 0 1 0 .707L3.05 13.657a.5.5 0 0 1-.707-.707l1.414-1.414a.5.5 0 0 1 .707 0m9.193 2.121a.5.5 0 0 1-.707 0l-1.414-1.414a.5.5 0 0 1 .707-.707l1.414 1.414a.5.5 0 0 1 0 .707M4.464 4.465a.5.5 0 0 1-.707 0L2.343 3.05a.5.5 0 1 1 .707-.707l1.414 1.414a.5.5 0 0 1 0 .708"/></svg>'; document.getElementById('vulnerability-lookup-logo').src = '/static/img/VL-hori-white-coul.png'; document.getElementById('btnThemeSwitch').setAttribute('title', 'Switch to light theme'); document.cookie = "theme=dark; path=/; SameSite=Strict"; } }) }); </script> </body> </html>