CVE-2019-19613

CVE-2019-19613

by adidionxlm

Abstract Advisory Information

RAQuest is a software solution for handling foreign withholding taxes.

The login page of the admin application is vulnerable to an Open Redirect attack, allowing an attacker to redirect a user to a malicious site after an authentication phase.
The attacker needs to be in same network and should be able to modify the victims request on the wire.

Authors: Julien Oury–Nogues from Excellium-Services company

Version affected

Name: Halvotec Raquest
Versions: 10.23.10801.0

Common Vulnerability Scoring System

4.3
CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Patches

Unknown

References

None

Vulnerability Disclosure Timeline

  • 22/08/2019: Vulnerability discovered.
  • 28/08/2019: vendor contacted.
  • 09/09/2019: vendor correctly receive the attachment.
  • 13/09/2019: Ask vendor an Acknowledgement.
  • 20/09/2019: Ask vendor an Acknowledgement.
  • 29/10/2019: Vendor does not considered this issue as it. No patch will be released.
  • 03/12/2019: Request CVE-ID
  • 17/12/2019: Responsible disclosure with CSSF and CERT-BUND
  • 24/12/2019: Public disclosure.
  • 27/03/2020: vendor announces a fix for end of May 2020
Top