CVE-2023-30801

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions qBittorrent versions 4.5.5 and earlier

Description The issue is related to the use of default credentials when the web user interface is enabled, allowing a remote attacker to authenticate and execute arbitrary operating system commands using the "external program" feature. This was reportedly exploited in the wild in March 2023.

Recommendations As a temporary workaround, consider disabling the "external program" feature in the web user interface until a patch is available. Restrict access to the web user interface to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

RCE

Using Hardcoded Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-798CWE-1392

Related Identifiers

ALT-PU-2023-6705

BDU:2024-02758

CVE-2023-30801

OPENSUSE-SU-2023:0391-1

OPENSUSE-SU-2024:13477-1

Affected Products

Alt Linux

Debian

Red Os

Qbittorrent

CVE-2023-30801

Weakness Enumeration

Related Identifiers

Affected Products

References · 28