CVE-2019-19614

CVE-2019-19614

by adidionxlm

Abstract Advisory Information

RAQuest is a software solution for handling foreign withholding taxes.

The login page is vulnerable to a wildcard injection allowing an attacker to enumerate the list of users sharing an identical password.

Authors: Julien Oury–Nogues from Excellium-services company

Version affected

Name: Halvotec Raquest
Versions: 10.23.10801.0

Common Vulnerability Scoring System

4.8
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Patches

Release 10.24.11206.1

References

None

Vulnerability Disclosure Timeline

  • 22/08/2019: Vulnerability discovered.
  • 28/08/2019: vendor contacted.
  • 09/09/2019: vendor correctly receive the attachment.
  • 13/09/2019: Ask vendor an Acknowledgement.
  • 20/09/2019: Ask vendor an Acknowledgement.
  • 29/10/2019: Vendor will release a fix on November
  • 03/12/2019: Ask Vendor if the fix was released
  • 03/12/2019: Ask CVE-ID
  • 17/12/2019: Responsible disclosure with CSSF and CERT-BUND
  • 24/12/2019: Public disclosure.
  • 24/03/2020: Vendor confirms fix in November released 10.24.11206.1
Top