Abstract Advisory Information
RAQuest is a software solution for handling foreign withholding taxes.
One of the exposed web service allows an anonymous user to access the list of connected users as well as the session cookie associated to them.
Authors: Julien Oury–Nogues and Dominique Righetto from Excellium-Services company
Version affected
Name: Halvotec Raquest
Versions: 10.23.10801.0
Common Vulnerability Scoring System
8.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Patches
Release 10.24.11206.1
References
None
Vulnerability Disclosure Timeline
- 22/08/2019: Vulnerability discovered.
- 28/08/2019: vendor contacted.
- 09/09/2019: vendor correctly receive the attachment.
- 13/09/2019: Ask vendor an Acknowledgement.
- 20/09/2019: Ask vendor an Acknowledgement.
- 29/10/2019: Vendor will release a fix on November
- 03/12/2019: Ask Vendor if the fix was released
- 03/12/2019: Request CVE-ID
- 17/12/2019: Responsible disclosure with CSSF and CERT-BUND
- 24/12/2019: Public disclosure.
- 24/03/2020: Vendor confirms fix in November released 10.24.11206.1
- 10/06/2020: Vendor confirm Release date of 10.24.11206.1 on 6.12.2019