Detections
Analytics

QlikView Server AccessPoint XML External Entity Injection

medium Nessus Plugin ID 91782

Language:

Synopsis

A web application installed on remote host is affected by an XML external entity injection vulnerability.

Description

The version of QlikView Server running on the remote host is 11.20 prior to 11.20 SR12. It is, therefore, affected by an XML external entity (XXE) injection vulnerability, specifically DTD parameter injection, in the /AccessPoint.aspx script due to an incorrectly configured XML parser accepting XML external entities from untrusted sources. An unauthenticated, remote attacker can exploit this, via crafted XML data, to conduct server-side request forgery (SSRF) attacks and to read arbitrary files.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to QlikView Server version 11.20 SR12 or later.

See Also

http://www.nessus.org/u?9ff83979

https://seclists.org/bugtraq/2015/Sep/30

http://www.nessus.org/u?00d3387a

Plugin Details

Severity: Medium

ID: 91782

File Name: qlikview_server_11_20_SR12.nasl

Version: 1.5

Type: remote

Family: CGI abuses

Published: 6/23/2016

Updated: 11/14/2019

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.8

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Vulnerability Information

CPE: cpe:/a:qlik:qlikview

Required KB Items: installed_sw/QlikView Server

Exploit Available: true

Exploit Ease: No exploit is required

Patch Publication Date: 6/9/2015

Vulnerability Publication Date: 9/8/2015

Reference Information

CVE: CVE-2015-3623