ALT-PU-2023-6705-2

Package update qbittorrent in branch sisyphus

Version4.6.0-alt1

Published2026-02-04

Max severityCRITICAL

Severity:

Closed issues (2)

CRITICAL9.8

Уязвимость кросс-платформенный BitTorrent клиента qBittorrent, связанная с использованием жестко запрограммированных учетных данных, позволяющая нарушителю выполнить произвольные команды

Published: 2024-04-09

CVSS 3.xCRITICAL 9.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 10.0

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C

References

CVE-2023-30801

CRITICAL9.8

All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023.

Published: 2023-10-10Modified: 2025-02-13

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References