by adidionxlm

Abstract Advisory Information

RAQuest is a software solution for handling foreign withholding taxes.

The entire application is prone to stored Cross-site Scripting (XSS) attack in several features of the application.
This vulnerability allows an attacker to perform action on behalf of the user, exfiltrate data, perform network discovery operations or run request against others web applications deployed on the same network than the server on which the application is deployed.

Authors: Julien Oury-Nogues and Dominique Righetto from Excellium-services company

Version affected

Name: Halvotec Raquest
Versions: 10.23.10801.0

Common Vulnerability Scoring System



Version 24.2020.20608.0



Vulnerability Disclosure Timeline

  • 22/08/2019: Vulnerability discovered.
  • 28/08/2019: vendor contacted.
  • 09/09/2019: vendor correctly received the attachment.
  • 13/09/2019: Ask vendor an Acknowledgement.
  • 20/09/2019: Ask vendor an Acknowledgement.
  • 29/10/2019: Vendor does not recognize this issue. No patch will be released.
  • 03/12/2019: Request CVE-ID
  • 17/12/2019: Responsible disclosure with CSSF and CERT-BUND
  • 24/12/2019: Public disclosure.
  • 27/03/2020: vendor announces a fix for end of May 2020
  • 10/06/2020: Vendor notification; fixed in Release 24.2020.20608.0, Date 8.6.2020