cbcvebase.
CVE-2023-41266
published 2023-08-29

CVE-2023-41266: A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier…

PriorityP189medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-12-28
Exploited in the wild
EPSS
84.97%
99.7th percentile
A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows an unauthenticated remote attacker to generate an anonymous session. This allows them to transmit HTTP requests to unauthorized endpoints. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.

Affected

4 ranges
VendorProductVersion rangeFixed in
qlikqlik_sense
qlikqlik_sense
qlikqlik_sense
qlikqlik_sense

Detection & IOCsextracted from sources · hover to see the quote

path/resources/qmc/fonts/../../../qrs/ReloadTask?xrfkey=1333333333333337&filter=.ttf
cookieX-Qlik-Session=13333333-3333-3333-3333-333333333337
path/resources/qmc/fonts/
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Possible DoubleQlik RCE via Path Traversal (CVE-2023-41266)"; flow:established,to_server; http.method; content:"POST"; http.header; content:"X-Qlik-"; fast_pattern; http.uri.raw; content:"/resources/qmc/fonts/"; startswith; content:".ttf"; endswith; reference:url,praetorian.com/blog/doubleqlik-bypassing-the-original-fix-for-cve-2023-41265/; reference:cve,2023-41266; classtype:web-application-attack; sid:2048366; rev:1; metadata:affected_product Qlik_Sense_Enterprise, created_at 2023_09_29, cve CVE_2023_41266, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_09_29, reviewed_at 2023_09_29, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)
  • Exploit requests use HTTP POST with the header 'X-Qlik-' and a URI starting with '/resources/qmc/fonts/' and ending with '.ttf' — the path traversal payload traverses out of the fonts directory to reach unauthorized QRS endpoints.
  • Successful exploitation results in an anonymous session cookie being set; look for 'x-qlik-session' in Set-Cookie response headers alongside HTTP 400 responses containing 'The comparison expression does not consist of three elements'.
  • Post-exploitation discovery command output is redirected into .TTF files, likely to exfiltrate results via the path traversal vulnerability — monitor for unusual .TTF files containing non-font data.
  • The Qlik Sense Scheduler service spawning unexpected child processes (PowerShell, BITS transfers) is a strong indicator of exploitation.
  • Shodan/FOFA fingerprinting: exposed Qlik Sense instances can be identified via favicon hash -74348711, HTML containing 'qlik', or page title 'qlik-sense'.
  • Attackers uninstall Sophos antivirus as a defense evasion step — monitor for Sophos removal events on Qlik Sense hosts.
  • ·The Nuclei template uses a fixed xrfkey value ('1333333333333337') and session UUID ('13333333-3333-3333-3333-333333333337') for PoC detection; real attacker requests may use different values for these fields.
  • ·The Snort rule (sid:2048366) fires on POST requests; however, the path traversal can also be triggered via GET — the GET-based Nuclei PoC uses the same /resources/qmc/fonts/ path prefix with a .ttf suffix.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vulncheck8.2HIGH
cisa6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.