Abstract Advisory Information
RAQuest is a software solution for handling foreign withholding taxes.
The entire application is prone to stored Cross-site Scripting (XSS) attack in several features of the application.
This vulnerability allows an attacker to perform action on behalf of the user, exfiltrate data, perform network discovery operations or run request against others web applications deployed on the same network than the server on which the application is deployed.
Authors: Julien Oury-Nogues and Dominique Righetto from Excellium-services company
Name: Halvotec Raquest
Common Vulnerability Scoring System
Vulnerability Disclosure Timeline
- 22/08/2019: Vulnerability discovered.
- 28/08/2019: vendor contacted.
- 09/09/2019: vendor correctly received the attachment.
- 13/09/2019: Ask vendor an Acknowledgement.
- 20/09/2019: Ask vendor an Acknowledgement.
- 29/10/2019: Vendor does not recognize this issue. No patch will be released.
- 03/12/2019: Request CVE-ID
- 17/12/2019: Responsible disclosure with CSSF and CERT-BUND
- 24/12/2019: Public disclosure.
- 27/03/2020: vendor announces a fix for end of May 2020