Main Vulnerability Database Vulnerabilities #VU83603

#VU83603 Inconsistent interpretation of HTTP requests in Qlik Sense Enterprise for Windows - CVE-2023-48365

Published: November 30, 2023

Vulnerability identifier: #VU83603

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Amber

CVE-ID: CVE-2023-48365

CWE-ID: CWE-444

Exploitation vector: Remote access

Exploit availability: The vulnerability is being exploited in the wild

Vulnerable software:
Qlik Sense Enterprise for Windows

Software vendor:
QlikTech International AB

Description

The vulnerability allows a remote user to perform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests caused by an incomplete fix for #VU80193 (CVE-2023-41265). A remote authenticated user can elevate their privileges within the application by tunneling HTTP requests.

Note, the vulnerability is being actively exploited in the wild.

Remediation

Install updates from vendor's website.

External links

https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/tac-p/2120510