CRITICAL🇵🇱 Wersja polska

CVE-2023-30801

CVSS 9.8v3.1pub. 2023-10-10upd. 2025-02-13

All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Qbittorrent

    APP
    Qbittorrent
    ≤ 4.5.5
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2019-13640CRITICAL9.8ten sam produkt

In qBittorrent before 4.1.7, the function Application::runExternalProgram() located in app/application.cpp all...

CVE-2024-51774HIGH8.1ten sam produkt

qBittorrent before 5.0.1 proceeds with use of https URLs even after certificate validation errors.

CVE-2017-12778HIGH7.1ten sam produkt

The UI Lock feature in qBittorrent version 3.3.15 is vulnerable to Authentication Bypass, which allows Attack ...

CVE-2025-54310MEDIUM4.0ten sam produkt

qBittorrent before 5.1.2 does not prevent access to a local file that is referenced in a link URL. This affect...

CVE-2017-6503MEDIUM6.1ten sam produkt

WebUI in qBittorrent before 3.3.11 did not escape many values, which could potentially lead to XSS.