Vulnerability

Stored Cross-Site Scripting

Affected Products and Versions

Qlik View <= 12.60 (Including SR)

CVEID:

CVE-2022-42248.

CVSSv3.1 Score

7.6 (High)

CVSSv3.1 Attack Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Short Description

In QlikView Ajax Client it was possibile to bypass the limitation on the allowed protocols when creating an interactive object via a specially crafted HTTP POST request, allowing attackers to execute arbitrary web scripts or HTML via a crafted payload.

Remediation

Update QlikView to 12.70 SR2 or above

Discoverer

Giulio Garzia

Reference

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42248 https://nvd.nist.gov/vuln/detail/CVE-2022-42248 https://community.qlik.com/t5/Release-Notes/QlikView-Release-Notes-May-2022-SR2/ta-p/2037704 (Issue ID: QV-23876)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

README.md

Vulnerability

Affected Products and Versions

CVEID:

CVSSv3.1 Score

CVSSv3.1 Attack Vector

Short Description

Remediation

Discoverer

Reference

Files

README.md

Latest commit

History

README.md

File metadata and controls

Vulnerability

Affected Products and Versions

CVEID:

CVSSv3.1 Score

CVSSv3.1 Attack Vector

Short Description

Remediation

Discoverer

Reference