A critical XML External Entity (XXE) Processing vulnerability has been discovered in QlikView Server v11.20 which could allow users unauthorized access to files located on the webserver.High Risk:
Web Server XML EXXLow/Medium Risk:
Traffic between QlikView Services which is sent in XML format. Non-Web Server QlikView Services XML traffic can only be exploited by users who are members of QlikView Administrators security group.Affected Versions:
All QlikView Server Releases [SR] before
11.20 Service Release 12 are affected.Details:
A successful exploit of XML External Entity (XXE) Processing , vulnerability could
- Allow user unauthorized access to local and network shared files accessible by the webserver (disclosure of information), in the context of the QlikView application pool account.
- Could also allow user to force the webserver to proxy by the user defined/formed URL query to user defined targets.
 https://cwe.mitre.org/data/definitions/611.html Improper Restriction of XML External Entity Reference ('XXE')