Back to KEVs

CVE-2023-41265

An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7...

Basic Information

CVE State: PUBLISHED
Reserved Date: August 25, 2023
Published Date: August 29, 2023
Last Updated: August 02, 2024
Vendor: n/a
Product: n/a
Description: An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows a remote attacker to elevate their privilege by tunneling HTTP requests in the raw HTTP request. This allows them to send requests that get executed by the backend server hosting the repository application. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.

CVSS Scores

CVSS v3.1

9.6 - CRITICAL

Vector: CVSS:3.1/AC:L/AV:N/A:N/C:H/I:H/PR:L/S:C/UI:N

SSVC Information

Exploitation: Active
Automatable: Yes
Technical Impact: Total

Exploit Status

Exploited in the Wild: Yes (added 2023-12-07 00:00:00 UTC) Source
Used in Malware: Yes (added 2023-12-07 00:00:00 UTC) Source

References

https://community.qlik.com/t5/Release-Notes/tkb-p/ReleaseNotes https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/ta-p/2110801

Known Exploited Vulnerability Information

Source	Added Date
CISA	2023-12-07 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-41265.yaml	2025-04-26 00:00:00 UTC