CVE-2023-41265

CRITICAL KEV RANSOMWARE NUCLEI

Qlik Sense - HTTP Request Smuggling

Title source: rule

Description

An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows a remote attacker to elevate their privilege by tunneling HTTP requests in the raw HTTP request. This allows them to send requests that get executed by the backend server hosting the repository application. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.

Exploits (1)

nomisec SCANNER 5 stars

by praetorian-inc · remote

https://github.com/praetorian-inc/zeroqlik-detect

View Code ZIP pw:eip

Nuclei Templates (1)

Qlik Sense Enterprise - HTTP Request Smuggling

CRITICALby AdamCrosser

Shodan: html:"Qlik" || http.favicon.hash:-74348711 || http.html:"qlik" || http.title:"qlik-sense"

FOFA: app="qlik-sense" || title="qlik-sense" || icon_hash=-74348711 || body="qlik"

References (3)

[Vendor Advisory] https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/ta-p/2110801

[Release Notes] https://community.qlik.com/t5/Release-Notes/tkb-p/ReleaseNotes

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-41265

Scores

CVSS v3 9.6

EPSS 0.9241

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Details

CISA KEV 2023-12-07

VulnCheck KEV 2023-11-28

InTheWild.io 2023-11-28

ENISA EUVD EUVD-2023-45782

Ransomware Use Confirmed

CWE

CWE-444

Status published

Products (4)

qlik/qlik_sense august_2022 (13 CPE variants)

qlik/qlik_sense february_2023 (8 CPE variants)

qlik/qlik_sense may_2023 (4 CPE variants)

qlik/qlik_sense november_2022 (11 CPE variants)

Published Aug 29, 2023

KEV Added Dec 07, 2023

Tracked Since Feb 18, 2026