cbcvebase.
CVE-2023-48365
published 2023-11-15

CVE-2023-48365: Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Due to improper validation of HTTP…

PriorityP197critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2025-02-03
Exploited in the wild
EPSS
24.68%
97.6th percentile
Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP requests on the backend server that hosts the repository application. The fixed versions are August 2023 Patch 2, May 2023 Patch 6, February 2023 Patch 10, November 2022 Patch 12, August 2022 Patch 14, May 2022 Patch 16, February 2022 Patch 15, and November 2021 Patch 17. NOTE: this issue exists because of an incomplete fix for CVE-2023-41265.

Affected

8 ranges
VendorProductVersion rangeFixed in
qlikqlik_sense
qlikqlik_sense
qlikqlik_sense
qlikqlik_sense
qlikqlik_sense
qlikqlik_sense
qlikqlik_sense
qlikqlik_sense

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /qrs/
cookieX-Qlik-Session=
path/qrs/ExternalProgramTask/create
  • The HTTP tunneling exploit is identified by a malformed Transfer-Encoding header value containing a comma and horizontal tab before 'chunked' (Transfer-Encoding: ,\x09chunked,\r\n), which bypasses header validation.
  • Exploit requests include both X-Qlik-xrfkey and X-Qlik-user headers alongside an X-Qlik-Session cookie, and target /qrs/ExternalProgramTask/create or /qrs/user endpoints with an xrfkey query parameter.
  • Post-exploitation: attackers use PowerShell and BITS to download tools, and redirect discovery command output into .TTF files — monitor for unusual .TTF file writes from Qlik Sense Scheduler service processes.
  • Post-exploitation: monitor for the Qlik Sense Scheduler service spawning unexpected child processes, as attackers exploit the flaw to cause it to initiate new processes.
  • ·The Snort/Suricata rule (sid:2059793) requires TLS decryption (tls_state TLSDecrypt / deployment SSLDecrypt) to be effective against HTTPS-protected Qlik Sense instances.
  • ·The vulnerability only affects Qlik Sense Enterprise for Windows; cloud-hosted instances have a different attack surface.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vulncheck9.6CRITICAL
cisa9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.