Known Exploited Vulnerability
9.9
CRITICAL
CVE-2023-48365
Qlik Sense HTTP Tunneling Vulnerability - [Actively Exploited]
Description

Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP requests on the backend server that hosts the repository application. The fixed versions are August 2023 Patch 2, May 2023 Patch 6, February 2023 Patch 10, November 2022 Patch 12, August 2022 Patch 14, May 2022 Patch 16, February 2022 Patch 15, and November 2021 Patch 17. NOTE: this issue exists because of an incomplete fix for CVE-2023-41265.

INFO

Published Date :

Nov. 15, 2023, 10:15 p.m.

Last Modified :

Jan. 14, 2025, 2 a.m.

Source :

[email protected]

Remotely Exploitable :

Yes !

Impact Score :

6.0

Exploitability Score :

3.1
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

Qlik Sense contains an HTTP tunneling vulnerability that allows an attacker to escalate privileges and execute HTTP requests on the backend server hosting the software.

Required Action :

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Notes :

https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/tac-p/2120510 ; https://nvd.nist.gov/vuln/detail/CVE-2023-48365

Affected Products

The following products are affected by CVE-2023-48365 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Qlik qlik_sense
: Total Affected Vendor : 1 | Products : 1
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2023-48365.

URL Resource
https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/tac-p/2120510 Vendor Advisory
https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/tac-p/2120510 Vendor Advisory

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2023-48365 vulnerability anywhere in the article.

  • The Register
Datacus extractus: Harry Potter publisher breached without resorting to magic

Infosec in brief Hogwarts doesn’t teach an incantation that could have saved Harry Potter publisher Scholastic from feeling the power of an online magician who made off with millions of customer recor ... Read more

Published Date: Jan 20, 2025 (3 weeks, 1 day ago)
CVE-2024-52320 CVE-2024-48871 CVE-2023-48365
  • The Hacker News
CISA Adds Second BeyondTrust Flaw to KEV Catalog Amid Active Attacks

Vulnerability / Cybersecurity The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a second security flaw impacting BeyondTrust Privileged Remote Access (PRA) and Remote Su ... Read more

Published Date: Jan 14, 2025 (4 weeks ago)
CVE-2025-0282 CVE-2024-12686 CVE-2024-12356 CVE-2023-48365
  • Cybersecurity News
CISA Warns of Active Exploitation of Critical Flaws in BeyondTrust and Qlik Sense

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about two critical security vulnerabilities being actively exploited by malicious actors. These flaws, impactin ... Read more

Published Date: Jan 14, 2025 (4 weeks ago)
CVE-2024-12686 CVE-2024-12356 CVE-2024-36077 CVE-2023-48365 CVE-2023-41266 CVE-2023-41265
  • TheCyberThrone
CISA KEV Catalog Update Part III- January 2025

The US CISA has recently included two significant vulnerabilities, CVE-2024-12686 and CVE-2023-48365, in its Known Exploited Vulnerabilities (KEV) Catalog. This catalog is an essential resource for or ... Read more

Published Date: Jan 14, 2025 (4 weeks ago)
CVE-2024-12847 CVE-2024-5594 CVE-2024-12686 CVE-2024-54498 CVE-2024-49415 CVE-2023-48365
  • Cybersecurity News
CVE-2024-55579 & CVE-2024-55580: Qlik Sense Users Face Serious Security Risk

Qlik, a leading provider of business intelligence and data analytics platforms, has disclosed two vulnerabilities affecting Qlik Sense Enterprise for Windows. These vulnerabilities, identified as CVE- ... Read more

Published Date: Dec 09, 2024 (2 months ago)
CVE-2024-55580 CVE-2024-55579 CVE-2024-52338 CVE-2024-52052 CVE-2024-50623 CVE-2024-36077 CVE-2023-48365 CVE-2023-45648 CVE-2023-41266 CVE-2023-41265 ...+1 more CVE
  • Darktrace
A Thorn in Attackers’ Sides: How Darktrace Uncovered a CACTUS Ransomware Infection

This blog examines CACTUS, a relatively new strain of ransomware that first appeared in the threat landscape in March 2023. In November 2023, Darktrace detected CACTUS ransomware on a US customer netw ... Read more

Published Date: Aug 16, 2024 (5 months, 3 weeks ago)
CVE-2023-48365 CVE-2023-41266 CVE-2023-41265

The following table lists the changes that have been made to the CVE-2023-48365 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725

    Jan. 14, 2025

    Action Type Old Value New Value
    Added Date Added 2025-01-13
    Added Due Date 2025-02-03
    Added Required Action Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
    Added Vulnerability Name Qlik Sense HTTP Tunneling Vulnerability
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Jan. 13, 2025

    Action Type Old Value New Value
    Added CWE CWE-444
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Nov. 21, 2024

    Action Type Old Value New Value
    Added Reference https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/tac-p/2120510
  • CVE Modified by [email protected]

    May. 14, 2024

    Action Type Old Value New Value
  • Initial Analysis by [email protected]

    Nov. 29, 2023

    Action Type Old Value New Value
    Added CVSS V3.1 NIST AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
    Changed Reference Type https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/tac-p/2120510 No Types Assigned https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/tac-p/2120510 Vendor Advisory
    Added CWE NIST CWE-444
    Added CPE Configuration OR *cpe:2.3:a:qlik:qlik_sense:august_2022:-:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:august_2022:patch_1:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:august_2022:patch_10:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:august_2022:patch_11:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:august_2022:patch_12:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:august_2022:patch_13:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:august_2022:patch_2:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:august_2022:patch_3:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:august_2022:patch_4:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:august_2022:patch_5:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:august_2022:patch_6:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:august_2022:patch_7:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:august_2022:patch_8:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:august_2022:patch_9:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:august_2023:-:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:august_2023:patch_1:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:february_2022:-:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:february_2022:patch_1:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:february_2022:patch_10:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:february_2022:patch_11:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:february_2022:patch_12:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:february_2022:patch_13:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:february_2022:patch_14:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:february_2022:patch_2:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:february_2022:patch_3:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:february_2022:patch_4:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:february_2022:patch_5:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:february_2022:patch_6:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:february_2022:patch_7:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:february_2022:patch_8:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:february_2022:patch_9:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:february_2023:-:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:february_2023:patch_1:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:february_2023:patch_2:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:february_2023:patch_3:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:february_2023:patch_4:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:february_2023:patch_5:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:february_2023:patch_6:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:february_2023:patch_7:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:february_2023:patch_8:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:february_2023:patch_9:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:may_2022:-:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:may_2022:patch_1:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:may_2022:patch_10:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:may_2022:patch_11:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:may_2022:patch_12:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:may_2022:patch_13:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:may_2022:patch_14:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:may_2022:patch_15:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:may_2022:patch_2:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:may_2022:patch_3:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:may_2022:patch_4:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:may_2022:patch_5:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:may_2022:patch_6:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:may_2022:patch_7:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:may_2022:patch_8:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:may_2022:patch_9:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:may_2023:-:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:may_2023:patch_1:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:may_2023:patch_2:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:may_2023:patch_3:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:may_2023:patch_4:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:may_2023:patch_5:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:november_2021:-:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:november_2021:patch_1:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:november_2021:patch_10:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:november_2021:patch_11:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:november_2021:patch_12:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:november_2021:patch_13:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:november_2021:patch_14:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:november_2021:patch_15:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:november_2021:patch_16:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:november_2021:patch_2:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:november_2021:patch_3:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:november_2021:patch_4:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:november_2021:patch_5:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:november_2021:patch_6:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:november_2021:patch_7:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:november_2021:patch_8:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:november_2021:patch_9:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:november_2022:-:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:november_2022:patch_1:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:november_2022:patch_10:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:november_2022:patch_11:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:november_2022:patch_2:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:november_2022:patch_3:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:november_2022:patch_4:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:november_2022:patch_5:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:november_2022:patch_6:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:november_2022:patch_7:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:november_2022:patch_8:*:*:enterprise:windows:*:* *cpe:2.3:a:qlik:qlik_sense:november_2022:patch_9:*:*:enterprise:windows:*:*
  • CVE Received by [email protected]

    Nov. 15, 2023

    Action Type Old Value New Value
    Added Description Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP requests on the backend server that hosts the repository application. The fixed versions are August 2023 Patch 2, May 2023 Patch 6, February 2023 Patch 10, November 2022 Patch 12, August 2022 Patch 14, May 2022 Patch 16, February 2022 Patch 15, and November 2021 Patch 17. NOTE: this issue exists because of an incomplete fix for CVE-2023-41265.
    Added Reference MITRE https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/tac-p/2120510 [No types assigned]
    Added CVSS V3.1 MITRE AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2023-48365 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2023-48365 weaknesses.

Exploit Prediction

EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days.

1.66 }} 1.52%

score

0.87346

percentile

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
: