Note:
This project will be discontinued after December 13, 2021. [more]
2019-07-17
In qBittorrent before 4.1.7, the function Application::runExternalProgram() located in app/application.cpp allows command injection via shell metacharacters in the torrent name parameter or current tracker parameter, as demonstrated by remote command execution via a crafted name within an RSS feed.
Products | Qbittorrent |
Type | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78) |
First patch | - None (likely due to unavailable code) |
Links |
• https://github.com/qbittorrent/qBittorrent/issues/10925
• http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00085.html • http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00080.html • https://www.debian.org/security/2020/dsa-4650 • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OH3WYCKODG4OKMC4S6PWHLHAWWU6ORNC/ |