Qbittorrent CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM Qbittorrent CVE published 2017-03-06

CVE-2017-6504

CVE-2017-6504 affects qBittorrent WebUI versions before 3.3.11. The issue is that the WebUI did not set the X-Frame-Options header, which could allow clickjacking against users interacting with the interface. The NVD record classifies the issue with CVSS 3.0 6.1 (Medium) and identifies the vulnerable version range as qBittorrent up to 3.3.10. A vendor patch and release notes are referenced in the official advisories.

MEDIUM Qbittorrent CVE published 2017-03-06

CVE-2017-6503

CVE-2017-6503 is a WebUI cross-site scripting issue in qBittorrent. According to the CVE record and NVD, versions before 3.3.11 did not escape many values, which could allow XSS in the browser-facing interface. The issue is rated medium severity and is most relevant anywhere the qBittorrent WebUI is exposed to users who can interact with untrusted content or attacker-influenced data.