Deluge: Remote execution of arbitrary code A vulnerability in Deluge might allow remote attackers to execute arbitrary code. deluge 2017-03-28 2017-03-28 612144 remote 1.3.14 1.3.14

Deluge is a BitTorrent client.

A CSRF vulnerability was discovered in the web UI of Deluge.

A remote attacker could entice a user currently logged in into Deluge web UI to visit a malicious web page which uses forged requests to make Deluge download and install a Deluge plug-in provided by the attacker. The plug-in can then execute arbitrary code as the user running Deluge.

There is no known workaround at this time.

All Deluge users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=net-p2p/deluge-1.3.14" CVE-2017-7178 whissi whissi