KDE Security Advisory: Konqueror Partially Universal XSS in Error Pages Original Release Date: 2011-04-11 URL: http://www.kde.org/info/security/advisory-20110411-1.txt 0. References: CVE-2011-1168 http://www.nth-dimension.org.uk/pub/NDSA20110321.txt.asc 1. Systems affected: Konqueror as shipped with KDE SC 4.4.0 up to and including KDE SC 4.6.1. Earlier versions of KDE SC may also be affected. 2. Overview: When Konqueror cannot fetch a requested URL, it renders an error page with the given URL. If the URL contains JavaScript or HTML code, this code is also rendered, allowing for the user to be tricked into visiting a malicious site or providing credentials to an untrusted party. A basic example of this vulnerability is as follows: http://thisdomainwillnotresolveandrekonqerrorpagewillbeshownwithfullurlembedded.twitter.com/">