ET WEB_SPECIFIC_APPS Qlik Sense Enterprise HTTP Request Tunneling Attempt (CVE-2023-48365)
Sourceet/open
CreatedJanuary 31, 2025
UpdatedJanuary 31, 2025
Classificationattempted-admin
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Qlik Sense Enterprise HTTP Request Tunneling Attempt (CVE-2023-48365)"; flow:established,to_server; content:"POST /qrs/"; pcre:"/^(?:ExternalProgramTask\x2fcreate|user)/R"; content:"|3f|xrfkey|3d|"; within:50; content:"X-Qlik-xrfkey|3a 20|"; nocase; distance:0; content:"X-Qlik-user|3a 20|"; distance:0; nocase; http.method; content:"HEAD"; http.cookie; content:"X-Qlik-Session|3d|"; http.header_names; content:"|0d 0a|X-Qlik-Xrfkey|0d 0a|"; fast_pattern; http.header; content:"Transfer-Encoding|3a 20 2c 09|chunked|2c 0d 0a|"; reference:url,www.praetorian.com/blog/doubleqlik-bypassing-the-original-fix-for-cve-2023-41265/; reference:cve,2023-48365; classtype:attempted-admin; sid:2059793; rev:1; metadata:affected_product Qlik_Sense_Enterprise, attack_target Web_Server, tls_state TLSDecrypt, created_at 2025_01_31, cve CVE_2023_48365, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_01_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
References
Metadata
affected productQlik_Sense_Enterprise
attack targetWeb_Server
tls stateTLSDecrypt
created at2025_01_31
deploymentSSLDecrypt
performance impactLow
confidenceHigh
signature severityMajor
tagCISA_KEV
updated at2025_01_31
mitre tactic idTA0001
mitre tactic nameInitial_Access
mitre technique idT1190
mitre technique nameExploit_Public_Facing_Application
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!