Qlik: ZeroQlik: Unauthenticated Path Traversal in Qlik Sense Enterprise
CWE-22
Path Traversal
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Summary
Per Qlik advisory 2110801: “CVE-2023-41266 (QB-21220) Path traversal in Qlik Sense Enterprise for Windows … Due to improper validation of user supplied input, it is possible for an unauthenticated remote attacker to generate an anonymous session which allows them to perform HTTP requests to unauthorized endpoints.”
Affected Packages / Versions
- Package:
Qlik Sense Enterprise for Windows(—) - Latest published version at triage time:
August 2022 Patch 12 / November 2022 Patch 10 / February 2023 Patch 7 / May 2023 Patch 3 - Affected range:
Per Qlik advisory 2110801 (Aug 29, 2023): "All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted: May 2023 Patch 3, February 2023 Patch 7, November 2022 Patch 10, August 2022 Patch 12." - Patched version:
Qlik Sense August 2023 Patch 1 and earlier-track equivalents (note: the original fix proved incomplete; see CVE-2023-48365 for the complete fix)
Impact
Per Qlik advisory: chained with CVE-2023-41265 the combined impact is “compromise of the server running the Qlik Sense software, including unauthenticated remote code execution (RCE).” Per Qlik: “Qlik has received reports that this vulnerability may be being used by malicious actors.”
Severity Rationale
Per Qlik advisory: “CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N (8.2 High).” NVD lists 6.5 Medium for this CVE — score discrepancy noted; reviewer should align.
Fix
Per NVD: upgrade to Qlik Sense Enterprise August 2023 Patch 1 or the equivalent backport.
Disclosure timeline
- TBDReported to vendor
- Aug 29, 2023Patch released (Qlik advisory 2110801 created)
- TBDPublic disclosure
Fix Commit(s)
References
Discovered by Adam Crosser and Thomas Hendrickson (Praetorian) — per Qlik's official advisory · Published April 29, 2026