CRITICAL🇬🇧 English

CVE-2023-30801

CVSS 9.8v3.1pub. 2023-10-10upd. 2025-02-13

All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Qbittorrent

    APP
    Qbittorrent
    ≤ 4.5.5
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2019-13640CRITICAL9.8ten sam produkt

In qBittorrent before 4.1.7, the function Application::runExternalProgram() located in app/application.cpp all...

CVE-2024-51774HIGH8.1ten sam produkt

qBittorrent before 5.0.1 proceeds with use of https URLs even after certificate validation errors.

CVE-2017-12778HIGH7.1ten sam produkt

The UI Lock feature in qBittorrent version 3.3.15 is vulnerable to Authentication Bypass, which allows Attack ...

CVE-2025-54310MEDIUM4.0ten sam produkt

qBittorrent before 5.1.2 does not prevent access to a local file that is referenced in a link URL. This affect...

CVE-2017-6503MEDIUM6.1ten sam produkt

WebUI in qBittorrent before 3.3.11 did not escape many values, which could potentially lead to XSS.