Fedora 27 update for qt5-qtwebengine



| Updated: 2025-04-24
Risk High
Patch available YES
Number of vulnerabilities 12
CVE-ID CVE-2017-15429
CVE-2018-6033
CVE-2018-6060
CVE-2018-6062
CVE-2018-6064
CVE-2018-6069
CVE-2018-6071
CVE-2018-6073
CVE-2018-6076
CVE-2018-6079
CVE-2018-6081
CVE-2018-6082
CWE-ID CWE-79
CWE-362
CWE-416
CWE-122
CWE-843
CWE-121
CWE-19
CWE-200
CWE-284
Exploitation vector Network
Public exploit N/A
Vulnerable software
 Fedora
Operating systems & Components / Operating system

qt5-qtwebengine
Operating systems & Components / Operating system package or component

Vendor Fedoraproject

Security Bulletin

This security bulletin contains information about 12 vulnerabilities.

1) Universal cross-site scripting

EUVDB-ID: #VU9660

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-15429

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists in V8 due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 27

qt5-qtwebengine: before 5.10.1-4.fc27

CPE2.3 External links

https://bodhi.fedoraproject.org/updates/FEDORA-2018-44e1c23700


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Race condition

EUVDB-ID: #VU10231

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-6033

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to race condition when opening downloaded files. A remote attacker can trick the victim into opening a specially crafted file, trigger race condition and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 27

qt5-qtwebengine: before 5.10.1-4.fc27

CPE2.3 External links

https://bodhi.fedoraproject.org/updates/FEDORA-2018-44e1c23700


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Use-after-free error

EUVDB-ID: #VU11558

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-6060

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error in Blink. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 27

qt5-qtwebengine: before 5.10.1-4.fc27

CPE2.3 External links

https://bodhi.fedoraproject.org/updates/FEDORA-2018-44e1c23700


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Heap-based buffer overflow

EUVDB-ID: #VU11561

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-6062

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to heap-based buffer overflow in Skia. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 27

qt5-qtwebengine: before 5.10.1-4.fc27

CPE2.3 External links

https://bodhi.fedoraproject.org/updates/FEDORA-2018-44e1c23700


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Type confusion

EUVDB-ID: #VU11543

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-6064

CWE-ID: CWE-843 - Type confusion

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion in V8. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 27

qt5-qtwebengine: before 5.10.1-4.fc27

CPE2.3 External links

https://bodhi.fedoraproject.org/updates/FEDORA-2018-44e1c23700


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Stack-based buffer overflow

EUVDB-ID: #VU11568

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2018-6069

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in Skia due to stack-based buffer overflow. A remote attacker can trigger memory corruption and cause the service to crash.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 27

qt5-qtwebengine: before 5.10.1-4.fc27

CPE2.3 External links

https://bodhi.fedoraproject.org/updates/FEDORA-2018-44e1c23700


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Heap-based buffer overflow

EUVDB-ID: #VU11570

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2018-6071

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in Skia due to heap-based buffer overflow. A remote attacker can trigger memory corruption and cause the service to crash.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 27

qt5-qtwebengine: before 5.10.1-4.fc27

CPE2.3 External links

https://bodhi.fedoraproject.org/updates/FEDORA-2018-44e1c23700


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Heap-based buffer overflow

EUVDB-ID: #VU11573

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2018-6073

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in WebGL due to heap-based buffer overflow. A remote attacker can trigger memory corruption and cause the service to crash.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 27

qt5-qtwebengine: before 5.10.1-4.fc27

CPE2.3 External links

https://bodhi.fedoraproject.org/updates/FEDORA-2018-44e1c23700


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Data handling

EUVDB-ID: #VU11578

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2018-6076

CWE-ID: CWE-19 - Data Handling

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in Blink due to incorrect handling of URL fragment identifiers. A remote attacker can cause the service to crash.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 27

qt5-qtwebengine: before 5.10.1-4.fc27

CPE2.3 External links

https://bodhi.fedoraproject.org/updates/FEDORA-2018-44e1c23700


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Information disclosure

EUVDB-ID: #VU11583

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-6079

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists in WebGL due to improper information control via texture data. A remote attacker can gain access to potentially sensitive information.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 27

qt5-qtwebengine: before 5.10.1-4.fc27

CPE2.3 External links

https://bodhi.fedoraproject.org/updates/FEDORA-2018-44e1c23700


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Cross-site scripting

EUVDB-ID: #VU11585

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-6081

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The weakness exists in interstitials due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 27

qt5-qtwebengine: before 5.10.1-4.fc27

CPE2.3 External links

https://bodhi.fedoraproject.org/updates/FEDORA-2018-44e1c23700


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Security restrictions bypass

EUVDB-ID: #VU11586

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-6082

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to circumvention of port blocking. A remote attacker can bypass security restrictions.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 27

qt5-qtwebengine: before 5.10.1-4.fc27

CPE2.3 External links

https://bodhi.fedoraproject.org/updates/FEDORA-2018-44e1c23700


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###