A critical vulnerability in Qlik Sense for Windows may allow remote code execution. It affects all versions up to the May 2024 Patch 9 release.
The “High” severity vulnerability in Qlik Sense for Windows includes two issues:
- Remote Code Execution (RCE): Unprivileged users could create connection objects to run arbitrary EXE files on the server.
- Broken Access Control (BAC): Unprivileged users with network access may execute remote commands, risking availability, integrity, and confidentiality.
The vulnerabilities have CVSS scores of 8.8 and 7.5, indicating high risk. If exploited, they could compromise the server running Qlik Sense, including remote code execution.
The vulnerability affects all versions of Qlik Sense Enterprise for Windows before and including:
- May 2024 Patch 9
- February 2024 Patch 13
- November 2023 Patch 15
- August 2023 Patch 15
- May 2023 Patch 17
- February 2023 Patch 14
Qlik has released patches for these vulnerabilities. Users should update to the latest patched versions, including:
- November 2024 Initial Release
- May 2024 Patch 10
- February 2024 Patch 14
- November 2023 Patch 16
- August 2023 Patch 16
- May 2023 Patch 18
- February 2023 Patch 15
A workaround is available for extension and visualization issues by modifying the Repository.exe.config file and restarting specific services.
Although no exploitation has been reported, organizations are advised to act quickly to secure their systems and data. Regular patching and following security best practices is essential to protect against cyber threats.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment