CVE-2017-12778
HIGHqBittorrent 3.3.15 - Authentication Bypass via Config File Tampering
Title source: llmDescription
The UI Lock feature in qBittorrent version 3.3.15 is vulnerable to Authentication Bypass, which allows Attack to gain unauthorized access to qBittorrent functions by tampering the affected flag value of the config file at the C:\Users\<username>\Roaming\qBittorrent pathname. The attacker must change the value of the "locked" attribute to "false" within the "Locking" stanza. NOTE: This is an intended behavior. See https://github.com/qbittorrent/qBittorrent/wiki/I-forgot-my-UI-lock-password
References (3)
Core 3
Core References
Various Sources x_refsource_misc
https://medium.com/%40BaYinMin/cve-2017-12778-qbittorrent-ui-lock-authentication-bypass-30959ff55ada
Exploit, Third Party Advisory x_refsource_misc
http://archive.is/eF2GR
Third Party Advisory x_refsource_misc
https://github.com/qbittorrent/qBittorrent/wiki/I-forgot-my-UI-lock-password
Scores
CVSS v3
7.1
EPSS
0.0048
EPSS Percentile
37.7%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-287
Status
published
Products (1)
qbittorrent/qbittorrent
3.3.15
Published
May 09, 2019
Tracked Since
Feb 18, 2026