CVE-2025-34411

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because it identified a vulnerability in a SaaS product that does not require user action.
CVSS

No CVSS.

References

No reference.

Configurations

No configuration.

History

24 Dec 2025, 20:15

Type Values Removed Values Added
CWE CWE-862
Summary (en) The Convercent Whistleblowing Platform operated by EQS Group exposes an unauthenticated API endpoint at /GetLegalEntity that returns internal customer legal-entity names based on a supplied searchText fragment. A remote unauthenticated attacker can query the endpoint using common legal-suffix terms to enumerate Convercent tenants, identifying organizations using the platform. This disclosure can facilitate targeted phishing, extortion, or other attacks against whistleblowing programs and reveals sensitive business relationships and compliance infrastructure. (en) Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because it identified a vulnerability in a SaaS product that does not require user action.
References
  • {'url': 'https://seclists.org/fulldisclosure/2025/Dec/4', 'source': 'disclosure@vulncheck.com'}
  • {'url': 'https://www.convercent.com/', 'source': 'disclosure@vulncheck.com'}
  • {'url': 'https://www.eqs.com/en-us/platform-convercent-clients/', 'source': 'disclosure@vulncheck.com'}
  • {'url': 'https://www.vulncheck.com/advisories/convercent-whisteblowing-platform-unauthenticated-getlegalentity-endpoing-enables-customer-enumeration', 'source': 'disclosure@vulncheck.com'}

15 Dec 2025, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-12-15 15:15

Updated : 2025-12-24 20:15


NVD link : CVE-2025-34411

Mitre link : CVE-2025-34411

CVE.ORG link : CVE-2025-34411


JSON object : View

Products Affected

No product.

CWE

No CWE.