CVE-2024-29863
https://notcve.org/view.php?id=CVE-2024-29863
05 Apr 2024 — A race condition in the installer executable in Qlik Qlikview before versions May 2022 SR3 (12.70.20300) and May 2023 SR2 (12,80.20200) may allow an existing lower privileged user to cause code to be executed in the context of a Windows Administrator. Una condición de ejecución en instalador ejecutable en Qlik Qlikview anterior a las versiones SR3 de mayo de 2022 (12.70.20300) y SR2 de mayo de 2023 (12,80.20200) puede permitir que un usuario existente con privilegios inferiores haga que el código se ejecute... • https://github.com/pawlokk/qlikview-poc-CVE-2024-29863 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2022-42248
https://notcve.org/view.php?id=CVE-2022-42248
06 Mar 2023 — QlikView 12.60.2 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the QvsViewClient functionality. • http://qlikview.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-41989
https://notcve.org/view.php?id=CVE-2021-41989
26 Jan 2023 — Qlik QlikView through 12.60.20100.0 creates a Temporary File in a Directory with Insecure Permissions. • https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0001.md • CWE-668: Exposure of Resource to Wrong Sphere •
CVE-2019-11628
https://notcve.org/view.php?id=CVE-2019-11628
01 May 2019 — An issue was discovered in QlikView Server before 11.20 SR19, 12.00 and 12.10 before 12.10 SR11, 12.20 before SR9, and 12.30 before SR2; and Qlik Sense Enterprise and Qlik Analytics Platform installations that lack these patch levels: February 2018 Patch 4, April 2018 Patch 3, June 2018 Patch 3, September 2018 Patch 4, November 2018 Patch 4, or February 2019 Patch 2. An authenticated user may be able to bypass intended file-read restrictions via crafted Browser requests. Fue encontrado un problema en QlikVi... • https://qliksupport.force.com/articles/000069985 • CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •
CVE-2015-3623 – Qlikview 11.20 SR11 - Blind XML External Entity Injection
https://notcve.org/view.php?id=CVE-2015-3623
09 Sep 2015 — XML external entity (XXE) vulnerability in QlikTech Qlikview before 11.20 SR12 allows remote attackers to conduct server-side request forgery (SSRF) attacks and read arbitrary files via crafted XML data in a request to AccessPoint.aspx. Vulnerabilidad de XML external entity (XXE) en QlikTech Qlikview en versiones anteriores a 11.20 SR12, permite a atacantes remotos llevar a cabo ataques de falsificación de solicitud del lado del servidor (SSRF) y leer archivos arbitrarios a través de datos XML manipulados e... • https://www.exploit-db.com/exploits/38118 •