CVE-2023-48365

Published: Nov 15, 2023Modified: Oct 31, 2025CISA KEV

9.9

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Exploitability: 3.1 / Impact: 6.0

Source: NVD

Description

Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP requests on the backend server that hosts the repository application. The fixed versions are August 2023 Patch 2, May 2023 Patch 6, February 2023 Patch 10, November 2022 Patch 12, August 2022 Patch 14, May 2022 Patch 16, February 2022 Patch 15, and November 2021 Patch 17. NOTE: this issue exists because of an incomplete fix for CVE-2023-41265.

Affected (92)

Products: Qlik: Qlik Sense

Qlik

1 product

Qlik Sense

Configuration A

92 vulnerable

Vulnerable Software	Affected Versions
Qlik Qlik Sense	Version august_2022
Qlik Qlik Sense	Version august_2022 patch_10
Qlik Qlik Sense	Version august_2022 patch_11
Qlik Qlik Sense	Version august_2022 patch_12
Qlik Qlik Sense	Version august_2022 patch_13
Qlik Qlik Sense	Version august_2022 patch_1
Qlik Qlik Sense	Version august_2022 patch_2
Qlik Qlik Sense	Version august_2022 patch_3
Qlik Qlik Sense	Version august_2022 patch_4
Qlik Qlik Sense	Version august_2022 patch_5
Qlik Qlik Sense	Version august_2022 patch_6
Qlik Qlik Sense	Version august_2022 patch_7
Qlik Qlik Sense	Version august_2022 patch_8
Qlik Qlik Sense	Version august_2022 patch_9
Qlik Qlik Sense	Version august_2023
Qlik Qlik Sense	Version august_2023 patch_1
Qlik Qlik Sense	Version february_2022
Qlik Qlik Sense	Version february_2022 patch_10
Qlik Qlik Sense	Version february_2022 patch_11
Qlik Qlik Sense	Version february_2022 patch_12
Qlik Qlik Sense	Version february_2022 patch_13
Qlik Qlik Sense	Version february_2022 patch_14
Qlik Qlik Sense	Version february_2022 patch_1
Qlik Qlik Sense	Version february_2022 patch_2
Qlik Qlik Sense	Version february_2022 patch_3
Qlik Qlik Sense	Version february_2022 patch_4
Qlik Qlik Sense	Version february_2022 patch_5
Qlik Qlik Sense	Version february_2022 patch_6
Qlik Qlik Sense	Version february_2022 patch_7
Qlik Qlik Sense	Version february_2022 patch_8
Qlik Qlik Sense	Version february_2022 patch_9
Qlik Qlik Sense	Version february_2023
Qlik Qlik Sense	Version february_2023 patch_1
Qlik Qlik Sense	Version february_2023 patch_2
Qlik Qlik Sense	Version february_2023 patch_3
Qlik Qlik Sense	Version february_2023 patch_4
Qlik Qlik Sense	Version february_2023 patch_5
Qlik Qlik Sense	Version february_2023 patch_6
Qlik Qlik Sense	Version february_2023 patch_7
Qlik Qlik Sense	Version february_2023 patch_8
Qlik Qlik Sense	Version february_2023 patch_9
Qlik Qlik Sense	Version may_2022
Qlik Qlik Sense	Version may_2022 patch_10
Qlik Qlik Sense	Version may_2022 patch_11
Qlik Qlik Sense	Version may_2022 patch_12
Qlik Qlik Sense	Version may_2022 patch_13
Qlik Qlik Sense	Version may_2022 patch_14
Qlik Qlik Sense	Version may_2022 patch_15
Qlik Qlik Sense	Version may_2022 patch_1
Qlik Qlik Sense	Version may_2022 patch_2
Qlik Qlik Sense	Version may_2022 patch_3
Qlik Qlik Sense	Version may_2022 patch_4
Qlik Qlik Sense	Version may_2022 patch_5
Qlik Qlik Sense	Version may_2022 patch_6
Qlik Qlik Sense	Version may_2022 patch_7
Qlik Qlik Sense	Version may_2022 patch_8
Qlik Qlik Sense	Version may_2022 patch_9
Qlik Qlik Sense	Version may_2023
Qlik Qlik Sense	Version may_2023 patch_1
Qlik Qlik Sense	Version may_2023 patch_2
Qlik Qlik Sense	Version may_2023 patch_3
Qlik Qlik Sense	Version may_2023 patch_4
Qlik Qlik Sense	Version may_2023 patch_5
Qlik Qlik Sense	Version november_2021
Qlik Qlik Sense	Version november_2021 patch_10
Qlik Qlik Sense	Version november_2021 patch_11
Qlik Qlik Sense	Version november_2021 patch_12
Qlik Qlik Sense	Version november_2021 patch_13
Qlik Qlik Sense	Version november_2021 patch_14
Qlik Qlik Sense	Version november_2021 patch_15
Qlik Qlik Sense	Version november_2021 patch_16
Qlik Qlik Sense	Version november_2021 patch_1
Qlik Qlik Sense	Version november_2021 patch_2
Qlik Qlik Sense	Version november_2021 patch_3
Qlik Qlik Sense	Version november_2021 patch_4
Qlik Qlik Sense	Version november_2021 patch_5
Qlik Qlik Sense	Version november_2021 patch_6
Qlik Qlik Sense	Version november_2021 patch_7
Qlik Qlik Sense	Version november_2021 patch_8
Qlik Qlik Sense	Version november_2021 patch_9
Qlik Qlik Sense	Version november_2022
Qlik Qlik Sense	Version november_2022 patch_10
Qlik Qlik Sense	Version november_2022 patch_11
Qlik Qlik Sense	Version november_2022 patch_1
Qlik Qlik Sense	Version november_2022 patch_2
Qlik Qlik Sense	Version november_2022 patch_3
Qlik Qlik Sense	Version november_2022 patch_4
Qlik Qlik Sense	Version november_2022 patch_5
Qlik Qlik Sense	Version november_2022 patch_6
Qlik Qlik Sense	Version november_2022 patch_7
Qlik Qlik Sense	Version november_2022 patch_8
Qlik Qlik Sense	Version november_2022 patch_9

Related CWEs

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

References (3)

https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/tac-p/2120510

Source: cve@mitre.org

Vendor Advisory

https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/tac-p/2120510

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-48365

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

US Government Resource

Timeline

No history available yet.