Abstract Advisory Information


RAQuest is a software solution for handling foreign withholding taxes.

One of the exposed web service allows an anonymous user to access the list of connected users as well as the session cookie associated to them.

Authors: Julien Oury–Nogues and Dominique Righetto 

Version affected


Name: Halvotec Raquest

Versions: 10.23.10801.0

Common Vulnerability Scoring System


8.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Patches


Release 10.24.11206.1

References


None

Vulnerability Disclosure Timeline


  • 22/08/2019: Vulnerability discovered.
  • 28/08/2019: vendor contacted.
  • 09/09/2019: vendor correctly receive the attachment.
  • 13/09/2019: Ask vendor an Acknowledgement.
  • 20/09/2019: Ask vendor an Acknowledgement.
  • 29/10/2019: Vendor will release a fix on November
  • 03/12/2019: Ask Vendor if the fix was released
  • 03/12/2019: Request CVE-ID
  • 17/12/2019: Responsible disclosure with CSSF and CERT-BUND
  • 24/12/2019: Public disclosure.
  • 24/03/2020: Vendor confirms fix in November released 10.24.11206.1
  • 10/06/2020: Vendor confirm Release date of 10.24.11206.1 on 6.12.2019