CVE-2015-3623 - Vulnerability Details - OpenCVE

XML external entity (XXE) vulnerability in QlikTech Qlikview before 11.20 SR12 allows remote attackers to conduct server-side request forgery (SSRF) attacks and read arbitrary files via crafted XML data in a request to AccessPoint.aspx.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Qlik	Qlikview

Configuration 1 [-]

cpe:2.3:a:qlik:qlikview:*:sr11:*:*:*:*:*:*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/133499/Qlikview-11.20-SR4-Blind-XXE-Injection.html
http://www.securityfocus.com/archive/1/536411/100/0/threaded
https://www.exploit-db.com/exploits/38118/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2015-09-16T18:00:00

Updated: 2024-08-06T05:47:57.710Z

Reserved: 2015-04-30T00:00:00

Link: CVE-2015-3623

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2015-09-16T18:59:02.957

Modified: 2025-04-12T10:46:40.837

Link: CVE-2015-3623

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-09-08T00:00:00", "descriptions": [{"lang": "en", "value": "XML external entity (XXE) vulnerability in QlikTech Qlikview before 11.20 SR12 allows remote attackers to conduct server-side request forgery (SSRF) attacks and read arbitrary files via crafted XML data in a request to AccessPoint.aspx."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-09T18:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "38118", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/38118/"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/133499/Qlikview-11.20-SR4-Blind-XXE-Injection.html"}, {"name": "20150908 [CVE-2015-3623] Qlikview blind XXE Security Vulnerability", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/536411/100/0/threaded"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-3623", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "XML external entity (XXE) vulnerability in QlikTech Qlikview before 11.20 SR12 allows remote attackers to conduct server-side request forgery (SSRF) attacks and read arbitrary files via crafted XML data in a request to AccessPoint.aspx."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "38118", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/38118/"}, {"name": "http://packetstormsecurity.com/files/133499/Qlikview-11.20-SR4-Blind-XXE-Injection.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/133499/Qlikview-11.20-SR4-Blind-XXE-Injection.html"}, {"name": "20150908 [CVE-2015-3623] Qlikview blind XXE Security Vulnerability", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/536411/100/0/threaded"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T05:47:57.710Z"}, "title": "CVE Program Container", "references": [{"name": "38118", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/38118/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/133499/Qlikview-11.20-SR4-Blind-XXE-Injection.html"}, {"name": "20150908 [CVE-2015-3623] Qlikview blind XXE Security Vulnerability", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/536411/100/0/threaded"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-3623", "datePublished": "2015-09-16T18:00:00", "dateReserved": "2015-04-30T00:00:00", "dateUpdated": "2024-08-06T05:47:57.710Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qlik:qlikview:*:sr11:*:*:*:*:*:*", "matchCriteriaId": "6CD8C0FF-CB8A-464D-AD27-8C5BC309D778", "versionEndIncluding": "11.20", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "XML external entity (XXE) vulnerability in QlikTech Qlikview before 11.20 SR12 allows remote attackers to conduct server-side request forgery (SSRF) attacks and read arbitrary files via crafted XML data in a request to AccessPoint.aspx."}, {"lang": "es", "value": "Vulnerabilidad de XML external entity (XXE) en QlikTech Qlikview en versiones anteriores a 11.20 SR12, permite a atacantes remotos llevar a cabo ataques de falsificaci\u00f3n de solicitud del lado del servidor (SSRF) y leer archivos arbitrarios a trav\u00e9s de datos XML manipulados en una petici\u00f3n a AccessPoint.aspx."}], "evaluatorComment": "<a href=\"http://cwe.mitre.org/data/definitions/611.html\">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>", "id": "CVE-2015-3623", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-09-16T18:59:02.957", "references": [{"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://packetstormsecurity.com/files/133499/Qlikview-11.20-SR4-Blind-XXE-Injection.html"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/536411/100/0/threaded"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "https://www.exploit-db.com/exploits/38118/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://packetstormsecurity.com/files/133499/Qlikview-11.20-SR4-Blind-XXE-Injection.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/536411/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "https://www.exploit-db.com/exploits/38118/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}