Redacted - Security vulnerability in qBittorrent 4.5.1 Windows WebUI
It has come to our attention that there is a significant security vulnerability in the WebUI of qBittorrent 4.5.1 running on Windows. The vulnerability is classified as an "unauthenticated path traversal", meaning anyone who can reach the WebUI port can download/copy arbitrary files from anywhere on your computer.
The exact combination of versions and operating systems impacted is unclear, however early results seem to indicate that qBT 4.4.x is unaffected.
The WebUI is not enabled by default, so most users are probably unaffected. If you are using the WebUI, it is highly recommended to do some combination of the following until a patched version (4.5.2?) is available:
Disable the WebUI
Downgrade to an unaffected version, likely 4.4.x
Ensure that the WebUI port is not exposed to untrusted networks -- this means the internet, but also college campuses and any other shared networks.
We are not removing 4.5.1 or 4.5.x from the client whitelist at this time as it is believed that the majority of users are unaffected, however that may change as the situation develops.