All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023.
Published 2023-10-10 14:15:10
Updated 2023-11-30 04:15:07
Source VulnCheck
View at NVD,   CVE.org

Products affected by CVE-2023-30801

Exploit prediction scoring system (EPSS) score for CVE-2023-30801

0.22%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 61 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-30801

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
9.8
CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.9
5.9
VulnCheck
9.8
CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.9
5.9
NIST

CWE ids for CVE-2023-30801

  • The product contains hard-coded credentials, such as a password or cryptographic key.
    Assigned by: nvd@nist.gov (Primary)
  • The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.
    Assigned by: disclosure@vulncheck.com (Secondary)

References for CVE-2023-30801

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!