Abstract Advisory Information
RAQuest is a software solution for handling foreign withholding taxes.
The login page of the admin application is vulnerable to an Open Redirect attack, allowing an attacker to redirect a user to a malicious site after an authentication phase.
The attacker needs to be in same network and should be able to modify the victims request on the wire.
Authors: Julien Oury–Nogues from Excellium-Services company
Name: Halvotec Raquest
Common Vulnerability Scoring System
Vulnerability Disclosure Timeline
- 22/08/2019: Vulnerability discovered.
- 28/08/2019: vendor contacted.
- 09/09/2019: vendor correctly receive the attachment.
- 13/09/2019: Ask vendor an Acknowledgement.
- 20/09/2019: Ask vendor an Acknowledgement.
- 29/10/2019: Vendor does not considered this issue as it. No patch will be released.
- 03/12/2019: Request CVE-ID
- 17/12/2019: Responsible disclosure with CSSF and CERT-BUND
- 24/12/2019: Public disclosure.
- 27/03/2020: vendor announces a fix for end of May 2020