SB: External Entity Processing Vulnerability in QlikView Server

A critical XML External Entity (XXE) Processing vulnerability has been discovered in QlikView Server v11.20 which could allow users unauthorized access to files located on the webserver.
High Risk:
Web Server XML EXX

Low/Medium Risk:
Traffic between QlikView Services which is sent in XML format.   Non-Web Server QlikView Services XML traffic can only be exploited by users who are members of QlikView Administrators security group.

Affected Versions:
All QlikView Server Releases [SR] before 11.20 Service Release 12 are affected.

Details:
A successful exploit of XML External Entity (XXE) Processing [1], vulnerability could

1. Allow user unauthorized access to local and network shared files accessible by the webserver (disclosure of information), in the context of the QlikView application pool account.
2. Could also allow user to force the webserver to proxy by the user defined/formed URL query to user defined targets.

References:
[1] https://cwe.mitre.org/data/definitions/611.html Improper Restriction of XML External Entity Reference ('XXE')
[2] https://nvd.nist.gov/vuln/search/results?adv_search=false&form_type=basic&results_type=overview&search_type=all&query=qlikview

The XXE vulnerability was addressed in QlikView Server 11.20 SR12. 

The full fix, included in 11.20 SR12, covers all XML traffic, both in the Web Server and between the QlikView Services. 

We encourage users to investigate the XXE vulnerability to assess their level of exposure and risk, and to decide on the appropriate course of action.