Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
qui CORS Misconfiguration: Arbitrary Origins Trusted
Vulnerability Description
qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also returning Access-Control-Allow-Credentials: true, effectively allowing any external webpage to make authenticated requests on behalf of a logged-in user. An attacker can exploit this by tricking a victim into loading a malicious webpage, which silently interacts with the application using the victim's session and potentially exfiltrating sensitive data such as API keys and account credentials, or even achieving full system compromise through the built-in External Programs manager. Exploitation requires that the victim access the application via a non-localhost hostname and load an attacker-controlled webpage, making highly targeted social-engineering attacks the most likely real-world scenario. This issue was not fixed at the time of publication.
CVSS Information
N/A
Vulnerability Type
过度许可的跨域白名单
Vulnerability Title
qui 安全漏洞
Vulnerability Description
qui是autobrr开源的一个轻量级多实例网页管理界面。 qui 1.14.1及之前版本存在安全漏洞,该漏洞源于使用过于宽松的CORS策略,可能导致跨域请求伪造和信息泄露。
CVSS Information
N/A
Vulnerability Type
N/A