CVE-2020-11054
CVE-2020-11054 is a low-severity vulnerability in Qutebrowser with a CVSS 3.x base score of 3.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-684.
Key facts
- Severity: Low (CVSS 3.x base score 3.5)
- CVSS v2: 4.3
- EPSS exploit prediction: 1% (67th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-684
- Affected product: Qutebrowser
- Published:
- Last modified:
Description
In qutebrowser versions less than 1.11.1, reloading a page with certificate errors shows a green URL. After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false, which is not recommended), this could still provide a false sense of security. This has been fixed in 1.11.1 and 1.12.0. All versions of qutebrowser are believed to be affected, though versions before v0.11.x couldn't be tested. Backported patches for older versions (greater than or equal to 1.4.0 and less than or equal to 1.10.2) are available, but no further releases are planned.
Frequently asked questions
- What is CVE-2020-11054?
- In qutebrowser versions less than 1.11.1, reloading a page with certificate errors shows a green URL. After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false, which is not recommended), this could still provide a false sense of security. This has been fixed in 1.11.1 and 1.12.0. All versions of qutebrowser are believed to be affected, though versions before v0.11.x couldn't be tested. Backported patches for older versions (greater than or equal to 1.4.0 and less than or equal to 1.10.2) are available, but no further releases are planned.
- How severe is CVE-2020-11054?
- CVE-2020-11054 has a CVSS 3.x base score of 3.5, rated low severity. It is exploitable over network with low attack complexity, requires low privileges and user interaction. Impact on confidentiality is low, integrity none, and availability none.
- Is CVE-2020-11054 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (67th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2020-11054?
- CVE-2020-11054 primarily affects Qutebrowser. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2020-11054?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2020-11054 published?
- CVE-2020-11054 was published on 2020-05-07 and last updated on 2026-06-17.
References
- https://bugs.kde.org/show_bug.cgi?id=420902
- https://github.com/qutebrowser/qutebrowser/commit/021ab572a319ca3db5907a33a59774f502b3b975
- https://github.com/qutebrowser/qutebrowser/commit/19f01bb42d02da539446a52a25bb0c1232b86327
- https://github.com/qutebrowser/qutebrowser/commit/1b7946ed14b386a24db050f2d6dba81ba6518755
- https://github.com/qutebrowser/qutebrowser/commit/2281a205c3e70ec20f35ec8fafecee0d5c4f3478
- https://github.com/qutebrowser/qutebrowser/commit/4020210b193f77cf1785b21717f6ef7c5de5f0f8
- https://github.com/qutebrowser/qutebrowser/commit/6821c236f9ae23adf21d46ce0d56768ac8d0c467
- https://github.com/qutebrowser/qutebrowser/commit/9bd1cf585fccdfe8318fff7af793730e74a04db3
- https://github.com/qutebrowser/qutebrowser/commit/a45ca9c788f648d10cccce2af41405bf25ee2948
- https://github.com/qutebrowser/qutebrowser/commit/d28ed758d077a5bf19ddac4da468f7224114df23
- https://github.com/qutebrowser/qutebrowser/commit/f5d801251aa5436aff44660c87d7013e29ac5864
- https://github.com/qutebrowser/qutebrowser/issues/5403
- https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7YWJ5QNHXKTGG5NLV7EGEOKPBVZBA5GS/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKAZOOTJ2MBHTYVYQQ52NL53F5CB2XAP/
- https://tracker.die-offenbachs.homelinux.org/eric/issue328
Affected products (3)
- cpe:2.3:a:qutebrowser:qutebrowser:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
More vulnerabilities in Qutebrowser
- CVE-2018-10895 — Critical (CVSS 9.3): qutebrowser before version 1.4.1 is vulnerable to a cross-site request forgery flaw that allows websites to access…
- CVE-2021-41146 — High (CVSS 8.8): qutebrowser is an open source keyboard-focused browser with a minimal GUI. Starting with qutebrowser v1.7.0, the…
- CVE-2018-1000559 — Medium (CVSS 6.1): qutebrowser version introduced in v0.11.0 (1179ee7a937fb31414d77d9970bac21095358449) contains a Cross Site Scripting…
All CVEs affecting Qutebrowser →
Other CWE-684 vulnerabilities
- CVE-2024-50357 — Critical (CVSS 9.8): FutureNet NXR series routers provided by Century Systems Co., Ltd. have REST-APIs, which are configured as disabled in…
- CVE-2024-6425 — Critical (CVSS 9.1): Incorrect Provision of Specified Functionality vulnerability in MESbook 20221021.03 version. An unauthenticated remote…
- CVE-2023-24845 — Critical (CVSS 9.1): A vulnerability has been identified in RUGGEDCOM i800, RUGGEDCOM i800NC, RUGGEDCOM i801, RUGGEDCOM i801NC, RUGGEDCOM…
- CVE-2023-4258 — High (CVSS 8.6): In Bluetooth mesh implementation If provisionee has a public key that is sent OOB then during provisioning it can be…
- CVE-2025-66384 — High (CVSS 8.2): app/Controller/EventsController.php in MISP before 2.5.24 has invalid logic in checking for uploaded file validity,…
- CVE-2025-58325 — High (CVSS 8.2): An Incorrect Provision of Specified Functionality vulnerability [CWE-684] in FortiOS 7.6.0, 7.4.0 through 7.4.5, 7.2.5…