Executive Summary
A cross-site scripting (XSS) issue, caused by improper validation of user-supplied input, has been identified in Qlik Sense Enterprise and Qlik Connector for use with SAP NetWeaver. This could lead to arbitrary JavaScript being executed in the context of a user if they visit a malicious page or link controlled by the attacker.
This issue was found as part of the Qlik secure engineering program and no reports of it being exploited have been received.
Affected Software
All Qlik Sense Enterprise versions prior to the versions listed below:
- May 2021
- February 2021 Patch 5
- November 2020 Patch 10
- September 2020 Patch 12
- June 2020 Patch 16
- April 2020 Patch 16
- February 2020 Patch 12
- November 2019 Patch 17
- Qlik Connector for use with SAP NetWeaver 7.0.7
Severity Rating
This vulnerability is rated as high due to the possibility of privilege escalation.
The calculated CVSS score: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N 8.2 (High)
Vulnerability Details
Due to improper validation of user-supplied input, an authenticated user may be able insert arbitrary JavaScript into a page. Subsequent visitors to that page would then execute that JavaScript allowing the attacker to perform actions in the context of that user.
Recommendation
- It is recommended to upgrade Qlik Sense Enterprise to a version containing the fixes as per the “Affected Software” section above.
- It is recommended to upgrade Qlik Connector for use with SAP NetWeaver to a version containing the fixes as per the “Affected Software” section above.
- Qlik Cloud Services (QCS) has already been patched.
All Qlik software can be downloaded from our official Qlik Download page (customer login required)
