← Back to CVEs
CVE-2023-41265
CRITICALCISA KEV9.6
Description
An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows a remote attacker to elevate their privilege by tunneling HTTP requests in the raw HTTP request. This allows them to send requests that get executed by the backend server hosting the repository application. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.
CVE Details
CVSS v3.1 Score9.6
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
Published8/29/2023
Last Modified10/31/2025
Sourcekev
Honeypot Sightings0
CISA KEV
VendorQlik
ProductSense
Vulnerability NameQlik Sense HTTP Tunneling Vulnerability
KEV Date Added2023-12-07
Remediation Due Date2023-12-28
Ransomware UseKnown
Affected Products
qlik:qlik_sense
Weaknesses (CWE)
CWE-444CWE-444
References
https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/ta-p/2110801(cve@mitre.org)
https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/ta-p/2110801(af854a3a-2127-422b-91ae-364da2661108)
https://community.qlik.com/t5/Release-Notes/tkb-p/ReleaseNotes(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-41265(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.