Qlik, the popular business intelligence software vendor, has released urgent security patches to address a critical vulnerability in its QlikView platform.
This vulnerability tracked as CVE-2024-29863 with a CVSS of 7.8, could allow a malicious user with existing access to a Windows system running QlikView to escalate their privileges to the Administrator level.
The vulnerability stems from a race condition within the QlikView installer. This condition, if successfully exploited, can trick the installer into executing unauthorized code with administrative rights. In essence, a low-level user could gain full control over the system.
The implications of this privilege escalation are severe Complete System Takeover, Lateral Movement and Data Exfiltration. Qlik is unaware of any active exploits targeting this vulnerability.
QlikView users are strongly urged to update immediately to one of the patched versions:
- QlikView May 2023 SR2 (12.80.20200)
- QlikView May 2022 SR3 (12.70.20300)
