by adidionxlm

Abstract Advisory Information

RAQuest is a software solution for handling foreign withholding taxes.

The login page of the admin application is vulnerable to an Open Redirect attack, allowing an attacker to redirect a user to a malicious site after an authentication phase.
The attacker needs to be in same network and should be able to modify the victims request on the wire.

Authors: Julien Oury–Nogues from Excellium-Services company

Version affected

Name: Halvotec Raquest
Versions: 10.23.10801.0

Common Vulnerability Scoring System



Version 24.2020.20608.0



Vulnerability Disclosure Timeline

  • 22/08/2019: Vulnerability discovered.
  • 28/08/2019: vendor contacted.
  • 09/09/2019: vendor correctly receive the attachment.
  • 13/09/2019: Ask vendor an Acknowledgement.
  • 20/09/2019: Ask vendor an Acknowledgement.
  • 29/10/2019: Vendor does not considered this issue as it. No patch will be released.
  • 03/12/2019: Request CVE-ID
  • 17/12/2019: Responsible disclosure with CSSF and CERT-BUND
  • 24/12/2019: Public disclosure.
  • 27/03/2020: vendor announces a fix for end of May 2020
  • 10/06/2020: Vendor notification; fixed in Release 24.2020.20608.0, Date 8.6.2020