CVE-2025-34412

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because it identified a vulnerability in a SaaS product that does not require user action.
CVSS

No CVSS.

References

No reference.

Configurations

No configuration.

History

24 Dec 2025, 20:15

Type Values Removed Values Added
References
  • {'url': 'https://seclists.org/fulldisclosure/2025/Dec/4', 'source': 'disclosure@vulncheck.com'}
  • {'url': 'https://www.convercent.com/', 'source': 'disclosure@vulncheck.com'}
  • {'url': 'https://www.eqs.com/en-us/platform-convercent-clients/', 'source': 'disclosure@vulncheck.com'}
  • {'url': 'https://www.vulncheck.com/advisories/convercent-whisteblowing-platform-protection-mechanism-failure-insecure-default-browser-and-session-controls', 'source': 'disclosure@vulncheck.com'}
CWE CWE-693
Summary (en) The Convercent Whistleblowing Platform operated by EQS Group contains a protection mechanism failure in its browser and session handling. By default, affected deployments omit HTTP security headers such as Content-Security-Policy, Referrer-Policy, Permissions-Policy, Cross-Origin-Embedder-Policy, Cross-Origin-Opener-Policy, and Cross-Origin-Resource-Policy, and implement incomplete clickjacking protections. The application also issues session cookies with insecure or inconsistent attributes by default, including duplicate ASP.NET_SessionId values, an affinity cookie missing the Secure attribute, and mixed or absent SameSite settings. These deficiencies weaken browser-side isolation and session integrity, increasing exposure to client-side attacks, session fixation, and cross-site session leakage. (en) Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because it identified a vulnerability in a SaaS product that does not require user action.

15 Dec 2025, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-12-15 15:15

Updated : 2025-12-24 20:15


NVD link : CVE-2025-34412

Mitre link : CVE-2025-34412

CVE.ORG link : CVE-2025-34412


JSON object : View

Products Affected

No product.

CWE

No CWE.