← Voltar para CVEs
CVE-2023-48365
CRITICALCISA KEV9.6
Descricao
Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP requests on the backend server that hosts the repository application. The fixed versions are August 2023 Patch 2, May 2023 Patch 6, February 2023 Patch 10, November 2022 Patch 12, August 2022 Patch 14, May 2022 Patch 16, February 2022 Patch 15, and November 2021 Patch 17. NOTE: this issue exists because of an incomplete fix for CVE-2023-41265.
Detalhes CVE
Pontuacao CVSS v3.19.6
SeveridadeCRITICAL
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosLOW
Interacao do usuarioNONE
Publicado11/15/2023
Ultima modificacao10/31/2025
Fontekev
Avistamentos honeypot0
CISA KEV
FornecedorQlik
ProdutoSense
Nome da vulnerabilidadeQlik Sense HTTP Tunneling Vulnerability
Data inclusao KEV2025-01-13
Prazo de remediacao2025-02-03
Uso em ransomwareKnown
Produtos afetados
qlik:qlik_sense
Fraquezas (CWE)
CWE-444CWE-444
Referencias
https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/tac-p/2120510(cve@mitre.org)
https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/tac-p/2120510(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-48365(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.