Vulnerability Description
The UI Lock feature in qBittorrent version 3.3.15 is vulnerable to Authentication Bypass, which allows Attack to gain unauthorized access to qBittorrent functions by tampering the affected flag value of the config file at the C:\Users\<username>\Roaming\qBittorrent pathname. The attacker must change the value of the "locked" attribute to "false" within the "Locking" stanza. NOTE: This is an intended behavior. See https://github.com/qbittorrent/qBittorrent/wiki/I-forgot-my-UI-lock-password
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Qbittorrent | Qbittorrent | 3.3.15 |
Related Weaknesses (CWE)
References
- http://archive.is/eF2GRExploitThird Party Advisory
- https://github.com/qbittorrent/qBittorrent/wiki/I-forgot-my-UI-lock-password
- https://medium.com/%40BaYinMin/cve-2017-12778-qbittorrent-ui-lock-authentication
- http://archive.is/eF2GRExploitThird Party Advisory
- https://github.com/qbittorrent/qBittorrent/wiki/I-forgot-my-UI-lock-password
- https://medium.com/%40BaYinMin/cve-2017-12778-qbittorrent-ui-lock-authentication
FAQ
What is CVE-2017-12778?
CVE-2017-12778 is a vulnerability with a CVSS score of 7.1 (HIGH). The UI Lock feature in qBittorrent version 3.3.15 is vulnerable to Authentication Bypass, which allows Attack to gain unauthorized access to qBittorrent functions by tampering the affected flag value ...
How severe is CVE-2017-12778?
CVE-2017-12778 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-12778?
Check the references section above for vendor advisories and patch information. Affected products include: Qbittorrent Qbittorrent.