CVE-2023-41266

Name of the Vulnerable Software and Affected Versions Qlik Sense Enterprise for Windows versions May 2023 Patch 3 and earlier Qlik Sense Enterprise for Windows versions February 2023 Patch 7 and earlier Qlik Sense Enterprise for Windows versions November 2022 Patch 10 and earlier Qlik Sense Enterprise for Windows versions August 2022 Patch 12 and earlier

Description A path traversal vulnerability found in Qlik Sense Enterprise for Windows allows an unauthenticated remote attacker to generate an anonymous session, enabling them to transmit HTTP requests to unauthorized endpoints. The vulnerability is related to insufficient input validation, which can be exploited by a remote attacker to send arbitrary HTTP requests.

Recommendations For Qlik Sense Enterprise for Windows versions May 2023 Patch 3 and earlier, update to May 2023 Patch 4 or later. For Qlik Sense Enterprise for Windows versions February 2023 Patch 7 and earlier, update to February 2023 Patch 8 or later. For Qlik Sense Enterprise for Windows versions November 2022 Patch 10 and earlier, update to November 2022 Patch 11 or later. For Qlik Sense Enterprise for Windows versions August 2022 Patch 12 and earlier, update to August 2022 Patch 13 or later. As a temporary workaround, consider restricting access to unauthorized endpoints until a patch is applied.