Vulnerability Description
All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Qbittorrent | Qbittorrent | <= 4.5.5 |
Related Weaknesses (CWE)
References
- https://github.com/qbittorrent/qBittorrent/issues/18731Issue Tracking
- https://lists.fedoraproject.org/archives/list/[email protected]
- https://lists.fedoraproject.org/archives/list/[email protected]
- https://vulncheck.com/advisories/qbittorrent-default-credsThird Party Advisory
- https://github.com/qbittorrent/qBittorrent/issues/18731Issue Tracking
- https://lists.fedoraproject.org/archives/list/[email protected]
- https://lists.fedoraproject.org/archives/list/[email protected]
- https://vulncheck.com/advisories/qbittorrent-default-credsThird Party Advisory
FAQ
What is CVE-2023-30801?
CVE-2023-30801 is a vulnerability with a CVSS score of 9.8 (CRITICAL). All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, thi...
How severe is CVE-2023-30801?
CVE-2023-30801 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-30801?
Check the references section above for vendor advisories and patch information. Affected products include: Qbittorrent Qbittorrent.