Multiple security issues were found in qbittorrent and fixed in the latest version. CVE-2017-6503 - WebUI in qBittorrent before 3.3.11 did not escape many values, which could potentially lead to XSS. Upstream patch: https://github.com/qbittorrent/qBittorrent/commit/6ca3e4f094da0a0017cb2d483ec1db6176bb0b16 CVE-2017-6504 - WebUI in qBittorrent before 3.3.11 did not set the X-Frame-Options header, which could potentially lead to clickjacking. Upstream patch: https://github.com/qbittorrent/qBittorrent/commit/f5ad04766f4abaa78374ff03704316f8ce04627d References: https://www.qbittorrent.org/news.php
Hi Andrej Above you referenced the smae commit for both CVE-2017-6503 and CVE-2017-6504. I think the one for CVE-2017-6504 is https://github.com/qbittorrent/qBittorrent/commit/f5ad04766f4abaa78374ff03704316f8ce04627d can you please update the reference? Regards, Salvatore
(In reply to Salvatore Bonaccorso from comment #1) > Hi Andrej > > Above you referenced the smae commit for both CVE-2017-6503 and > CVE-2017-6504. I think the one for CVE-2017-6504 is > > https://github.com/qbittorrent/qBittorrent/commit/ > f5ad04766f4abaa78374ff03704316f8ce04627d > > can you please update the reference? > > Regards, > Salvatore Hi Salvatore, Thanks for catching this! I indeed made a mistake and linked to the same patch twice. Fixed now.
Created qbittorrent tracking bugs for this issue: Affects: epel-7 [bug 1429835] Affects: fedora-all [bug 1429836]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.