Abstract Advisory Information


RAQuest is a software solution for handling foreign withholding taxes.

The entire application is prone to stored Cross-site Scripting (XSS) attack in several features of the application.

This vulnerability allows an attacker to perform action on behalf of the user, exfiltrate data, perform network discovery operations or run request against others web applications deployed on the same network than the server on which the application is deployed.

Authors: Julien Oury-Nogues and Dominique Righetto 

Version affected


Name: Halvotec Raquest

Versions: 10.23.10801.0

Common Vulnerability Scoring System


5.4

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Patches


Version 24.2020.20608.0

References


None

Vulnerability Disclosure Timeline


  • 22/08/2019: Vulnerability discovered.
  • 28/08/2019: vendor contacted.
  • 09/09/2019: vendor correctly received the attachment.
  • 13/09/2019: Ask vendor an Acknowledgement.
  • 20/09/2019: Ask vendor an Acknowledgement.
  • 29/10/2019: Vendor does not recognize this issue. No patch will be released.
  • 03/12/2019: Request CVE-ID
  • 17/12/2019: Responsible disclosure with CSSF and CERT-BUND
  • 24/12/2019: Public disclosure.
  • 27/03/2020: vendor announces a fix for end of May 2020
  • 10/06/2020: Vendor notification; fixed in Release 24.2020.20608.0, Date 8.6.2020