CVE-2019-13640

Name of the Vulnerable Software and Affected Versions qBittorrent versions prior to 4.1.7

Description The issue is related to the function Application::runExternalProgram() located in app/application.cpp, which allows command injection via shell metacharacters in the torrent name parameter or current tracker parameter. This could enable a remote attacker to gain unauthorized access to confidential data, cause a denial of service, or impact data integrity. Additionally, there was a lack of SSL/TLS certificate verification in the DownloadManager component, allowing for potential MITM attacks.

Recommendations For versions prior to 4.1.7, update to version 4.1.7 or later to resolve the issue. As a temporary workaround, consider disabling the runExternalProgram() function until a patch is available. Restrict access to the DownloadManager component to minimize the risk of exploitation. Avoid using special characters in the torrent name parameter or current tracker parameter in the affected API endpoint until the issue is resolved.