CVE-2023-41266

HIGH KEV RANSOMWARE NUCLEI

Qlik Sense - Path Traversal

Title source: rule

Description

A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows an unauthenticated remote attacker to generate an anonymous session. This allows them to transmit HTTP requests to unauthorized endpoints. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.

Exploits (1)

vulncheck_xdb SCANNER

remote

https://github.com/praetorian-inc/zeroqlik-detect

View Code ZIP pw:eip

Nuclei Templates (1)

Qlik Sense Enterprise - Path Traversal

MEDIUMVERIFIEDby AdamCrosser

Shodan: http.favicon.hash:-74348711 || http.html:"qlik" || http.title:"qlik-sense"

FOFA: app="qlik-sense" || title="qlik-sense" || icon_hash=-74348711 || body="qlik"

References (3)

[Vendor Advisory] https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/ta-p/2110801

[Release Notes] https://community.qlik.com/t5/Release-Notes/tkb-p/ReleaseNotes

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-41266

Scores

CVSS v3 8.2

EPSS 0.9429

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Details

CISA KEV 2023-12-07

VulnCheck KEV 2023-11-28

InTheWild.io 2023-11-28

ENISA EUVD EUVD-2023-45783

Ransomware Use Confirmed

CWE

CWE-22

Status published

Products (4)

qlik/qlik_sense august_2022 (13 CPE variants)

qlik/qlik_sense february_2023 (8 CPE variants)

qlik/qlik_sense may_2023 (4 CPE variants)

qlik/qlik_sense november_2022 (11 CPE variants)

Published Aug 29, 2023

KEV Added Dec 07, 2023

Tracked Since Feb 18, 2026