CVE-2019-19611

CVE-2019-19611

by adidionxlm

Abstract Advisory Information

RAQuest is a software solution for handling foreign withholding taxes.

One of the exposed web service allows an anonymous user to access the list of connected users as well as the session cookie associated to them.

Authors: Julien Oury–Nogues and Dominique Righetto from Excellium-Services company

Version affected

Name: Halvotec Raquest
Versions: 10.23.10801.0

Common Vulnerability Scoring System

8.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Patches

Release 10.24.11206.1

References

None

Vulnerability Disclosure Timeline

  • 22/08/2019: Vulnerability discovered.
  • 28/08/2019: vendor contacted.
  • 09/09/2019: vendor correctly receive the attachment.
  • 13/09/2019: Ask vendor an Acknowledgement.
  • 20/09/2019: Ask vendor an Acknowledgement.
  • 29/10/2019: Vendor will release a fix on November
  • 03/12/2019: Ask Vendor if the fix was released
  • 03/12/2019: Request CVE-ID
  • 17/12/2019: Responsible disclosure with CSSF and CERT-BUND
  • 24/12/2019: Public disclosure.
  • 24/03/2020: Vendor confirms fix in November released 10.24.11206.1
Top