CVE-2017-6504 Qbittorrent CVE debrief

Who should care

Administrators and users running qBittorrent with WebUI enabled, especially those exposing it on a network where authenticated users could be tricked into interacting with framed content.

Technical summary

The vulnerability is a WebUI hardening failure: qBittorrent did not send the X-Frame-Options response header, leaving the interface more susceptible to clickjacking. According to the NVD metadata, the issue is reachable over the network and requires user interaction, with impact limited to low confidentiality and integrity effects. The official references point to a specific upstream commit and the project release notes for the fix.

Defensive priority

Medium. This is not a code-execution flaw, but it does affect an interactive web interface and can be abused through social engineering if the WebUI is reachable.

Recommended defensive actions

• Upgrade qBittorrent to version 3.3.11 or later.
• Verify that the WebUI is no longer served from affected versions listed by NVD (up to 3.3.10).
• Review WebUI deployment exposure and restrict access where possible.
• Confirm that browser-framing protections are present in the fixed release and remain intact after customization or reverse-proxy changes.
• Use the upstream release notes and commit reference to validate the patch in your environment.

Evidence notes

Primary evidence comes from the CVE description and NVD metadata: the WebUI lacked the X-Frame-Options header and was vulnerable before 3.3.11. The official references include the upstream patch commit and qBittorrent release notes. NVD also lists CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N and a primary weakness mapping of CWE-20.

Official resources