CVE-2023-30801

2023-10-1014:15:10

CWE-798

CWE-1392

[email protected]

web.nvd.nist.gov

127

cve-2023-30801

qbittorrent

default credentials

web user interface

remote attacker

operating system commands

nvd

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

45.6%

JSON

All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the “external program” feature in the web user interface. This was reportedly exploited in the wild in March 2023.

Affected configurations

NVD

Node

qbittorrentqbittorrentRange≤4.5.5

CPENameOperatorVersion
qbittorrent:qbittorrentqbittorrentle4.5.5

CPE	Name	Operator	Version
qbittorrent:qbittorrent	qbittorrent	le	4.5.5

CNA Affected

[
  {
    "defaultStatus": "affected",
    "platforms": [
      "Windows",
      "Linux",
      "MacOS"
    ],
    "product": "qBittorrent client",
    "vendor": "qBittorrent",
    "versions": [
      {
        "lessThanOrEqual": "4.5.5",
        "status": "affected",
        "version": "0",
        "versionType": "1.2.6"
      }
    ]
  }
]