CVE-2023-50473
Description
Cross-Site Scripting (XSS) vulnerability in bill-ahmed qbit-matUI version 1.16.4, allows remote attackers to obtain sensitive information via fixed session identifiers (SID) in index.js file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
qbit-matUI v1.16.4 uses a hardcoded session ID in cookies, enabling XSS and session replay via fixed SID in index.js.
Vulnerability
qbit-matUI version 1.16.4, a mock backend for the qBitTorrent web UI, sets a fixed session identifier (SID) cookie in the login endpoint (/api/v2/auth/login) inside mock_backend/index.js at line 34. The SID is hardcoded as 8c212779b4abde7A on every successful authentication [1], [2]. This design flaw eliminates session uniqueness.
Exploitation
A remote attacker with network access to the application can observe the fixed session cookie, either by intercepting network traffic or via a cross-site scripting (XSS) payload that reads the SID cookie. The attacker then reuses the same SID in subsequent requests to impersonate the legitimate user without needing further authentication. The attack requires no special privileges beyond access to the affected server [1].
Impact
Successful exploitation allows an attacker to obtain sensitive user data and perform actions on behalf of the victim (information disclosure, session replay). The fixed SID undermines session integrity and confidentiality, as outlined in the CVE description [1], [2].
Mitigation
The developer recommends modifying the code to generate a random, unique session identifier per login session and to apply Secure and HttpOnly flags to the cookie [2]. As of the CVE publication date (2023-12-21), no fixed version has been released; users should apply the suggested code changes manually or wait for an official patch.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- bill-ahmed/qbit-matUIdescription
- Range: =1.16.4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application uses fixed session identifiers (SID) in cookies, meaning the session ID never changes across logins, enabling session replay and XSS attacks."
Attack vector
A remote attacker can exploit the fixed session identifier (SID) in cookies set by the application at login [ref_id=1]. Because the SID never rotates, an attacker who obtains a valid SID (e.g., via a cross-site scripting payload or by intercepting network traffic) can replay that session identifier to impersonate the victim and access sensitive information [ref_id=1]. The vulnerability is located in the cookie-handling logic in mock_backend/index.js at line 34 [ref_id=1].
Affected code
The vulnerability is in mock_backend/index.js at line 34, where the application sets a fixed session identifier (SID) in cookies upon user login [ref_id=1]. The affected version is qbit-matUI v1.16.4 [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] identifies that the application uses fixed session identifiers (SID) in cookies when users log in, which is the root cause. The recommended remediation is to generate a new, unpredictable session identifier on each successful login and to set the Secure and HttpOnly flags on the session cookie to reduce the risk of XSS-based theft.
Preconditions
- networkAttacker must be able to obtain the fixed session identifier (SID) from the victim, e.g., via a cross-site scripting payload or network interception
- authVictim must be logged into the application so the fixed SID cookie is set
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.