article SB: Cross-site scripting (XSS) vulnerability in Qlik Sense Enterprise in Official Support Articles

SB: Cross-site scripting (XSS) vulnerability in Qlik Sense Enterprise

Jamie_Gregory — Mon, 24 May 2021 23:59:28 GMT

Executive Summary

A cross-site scripting (XSS) issue, caused by improper validation of user-supplied input, has been identified in Qlik Sense Enterprise and Qlik Connector for use with SAP NetWeaver. This could lead to arbitrary JavaScript being executed in the context of a user if they visit a malicious page or link controlled by the attacker.

This issue was found as part of the Qlik secure engineering program and no reports of it being exploited have been received.

Affected Software

All Qlik Sense Enterprise versions prior to the versions listed below:

May 2021
February 2021 Patch 5
November 2020 Patch 10
September 2020 Patch 12
June 2020 Patch 16
April 2020 Patch 16
February 2020 Patch 12
November 2019 Patch 17
Qlik Connector for use with SAP NetWeaver 7.0.7

Severity Rating

This vulnerability is rated as high due to the possibility of privilege escalation.

The calculated CVSS score: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N 8.2 (High)

Vulnerability Details

Due to improper validation of user-supplied input, an authenticated user may be able insert arbitrary JavaScript into a page. Subsequent visitors to that page would then execute that JavaScript allowing the attacker to perform actions in the context of that user.

Recommendation

It is recommended to upgrade Qlik Sense Enterprise to a version containing the fixes as per the “Affected Software” section above.
It is recommended to upgrade Qlik Connector for use with SAP NetWeaver to a version containing the fixes as per the “Affected Software” section above.
Qlik Cloud Services (QCS) has already been patched.

All Qlik software can be downloaded from our official Qlik Download page (customer login required)

Re: SB: Cross-site scripting (XSS) vulnerability in Qlik Sense Enterprise

pth21 — Wed, 12 Jan 2022 19:47:32 GMT

Hello,

it looks like the XSS issue was resolved in Qlik Sense version September 2020, by upgrading the jQuery version.

There is additional work being done in the May 2021 version. Just wanted to clarify, is that related only to the Qlik Connector for use with SAP NetWeaver?

We are using the extensions. With regards to the XSS issue, if we are not using Qlik Connector for use with SAP NetWeaver, are we okay with the September 2020 version, or we have to upgrade to May 2021 version?

Thank you!

Re: SB: Cross-site scripting (XSS) vulnerability in Qlik Sense Enterprise

Jamie_Gregory — Thu, 13 Jan 2022 21:14:46 GMT

Hello @pth21 It affects Qlik Sense Enterprise and the SAP NetWeaver connector. If you're on September 2020, you should upgrade to the latest patch for September 2020. The fix for the issue is in September 2020 Patch 12 and above.