Abstract Advisory Information
RAQuest is a software solution for handling foreign withholding taxes.
The login page is vulnerable to a wildcard injection allowing an attacker to enumerate the list of users sharing an identical password.
Authors: Julien Oury–Nogues from Excellium-services company
Version affected
Name: Halvotec Raquest
Versions: 10.23.10801.0
Common Vulnerability Scoring System
4.8
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Patches
Release 10.24.11206.1
References
None
Vulnerability Disclosure Timeline
- 22/08/2019: Vulnerability discovered.
- 28/08/2019: vendor contacted.
- 09/09/2019: vendor correctly receive the attachment.
- 13/09/2019: Ask vendor an Acknowledgement.
- 20/09/2019: Ask vendor an Acknowledgement.
- 29/10/2019: Vendor will release a fix on November
- 03/12/2019: Ask Vendor if the fix was released
- 03/12/2019: Ask CVE-ID
- 17/12/2019: Responsible disclosure with CSSF and CERT-BUND
- 24/12/2019: Public disclosure.
- 24/03/2020: Vendor confirms fix in November released 10.24.11206.1
- 10/06/2020: Vendor confirm Release date of 10.24.11206.1 on 6.12.2019