CVE-2017-6503

Name of the Vulnerable Software and Affected Versions qBittorrent versions prior to 3.3.11 qBittorrent versions prior to the version released in October 2024

Description The issue concerns a lack of proper escaping of values in the WebUI, potentially leading to XSS attacks. Additionally, there was a long-standing problem with the DownloadManager component not checking SSL/TLS certificates, making it vulnerable to MITM attacks. This lack of certificate verification was present since April 6, 2010. The problem was resolved in a version released in October 2024. There have been other security issues in the past, including the use of default credentials in the web interface allowing RCE through an external program function, special characters in torrent names leading to RCE through RSS feeds, and unescaped values leading to XSS attacks.

Recommendations For versions prior to 3.3.11, update to version 3.3.11 or later to resolve the XSS issue. For versions prior to the one released in October 2024, update to the latest version to address the MITM vulnerability through the DownloadManager component. As a temporary workaround, consider disabling the WebUI until a patch is available. Restrict access to the DownloadManager component to minimize the risk of MITM attacks until the issue is resolved.