DEBIAN-CVE-2023-30801

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2023-30801

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2023-30801.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2023-30801

Upstream

CVE-2023-30801

Published

2023-10-10T14:15:10Z

Modified

2025-09-18T05:20:09Z

Summary

[none]

Details

All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023.

References

https://security-tracker.debian.org/tracker/CVE-2023-30801

Affected packages

Debian:11 / qbittorrent

Package

Name: qbittorrent
Purl: pkg:deb/debian/qbittorrent?arch=source

Affected ranges

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:12 / qbittorrent

Package

Name: qbittorrent
Purl: pkg:deb/debian/qbittorrent?arch=source

Affected ranges

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:13 / qbittorrent

Package

Name: qbittorrent
Purl: pkg:deb/debian/qbittorrent?arch=source

Affected ranges

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:14 / qbittorrent

Package

Name: qbittorrent
Purl: pkg:deb/debian/qbittorrent?arch=source

Affected ranges

Ecosystem specific

{
    "urgency": "unimportant"
}