Analysis
Analysis and contextual insights are available on OpenCVE Cloud.
No data.
No data.
| Vendor | Product | Confidence | Versions |
|---|---|---|---|
| Eqs | Convercent Whistleblowing Platform | — | — |
Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
No reference.
Wed, 24 Dec 2025 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-693 | |
| References |
|
|
| Metrics |
cvssV4_0
|
Wed, 24 Dec 2025 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Convercent Whistleblowing Platform Protection Mechanism Failure Insecure Default Browser & Session Controls | |
| Metrics |
ssvc
|
Wed, 24 Dec 2025 20:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Convercent Whistleblowing Platform operated by EQS Group contains a protection mechanism failure in its browser and session handling. By default, affected deployments omit HTTP security headers such as Content-Security-Policy, Referrer-Policy, Permissions-Policy, Cross-Origin-Embedder-Policy, Cross-Origin-Opener-Policy, and Cross-Origin-Resource-Policy, and implement incomplete clickjacking protections. The application also issues session cookies with insecure or inconsistent attributes by default, including duplicate ASP.NET_SessionId values, an affinity cookie missing the Secure attribute, and mixed or absent SameSite settings. These deficiencies weaken browser-side isolation and session integrity, increasing exposure to client-side attacks, session fixation, and cross-site session leakage. | This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because it identified a vulnerability in a SaaS product that does not require user action. |
| Metrics |
cvssV4_0
|
cvssV4_0
|
Tue, 16 Dec 2025 21:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Eqs
Eqs convercent Whistleblowing Platform |
|
| Vendors & Products |
Eqs
Eqs convercent Whistleblowing Platform |
Mon, 15 Dec 2025 17:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Mon, 15 Dec 2025 15:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Convercent Whistleblowing Platform operated by EQS Group contains a protection mechanism failure in its browser and session handling. By default, affected deployments omit HTTP security headers such as Content-Security-Policy, Referrer-Policy, Permissions-Policy, Cross-Origin-Embedder-Policy, Cross-Origin-Opener-Policy, and Cross-Origin-Resource-Policy, and implement incomplete clickjacking protections. The application also issues session cookies with insecure or inconsistent attributes by default, including duplicate ASP.NET_SessionId values, an affinity cookie missing the Secure attribute, and mixed or absent SameSite settings. These deficiencies weaken browser-side isolation and session integrity, increasing exposure to client-side attacks, session fixation, and cross-site session leakage. | |
| Title | Convercent Whistleblowing Platform Protection Mechanism Failure Insecure Default Browser & Session Controls | |
| Weaknesses | CWE-693 | |
| References |
| |
| Metrics |
cvssV4_0
|
MITRE
Status: REJECTED
Assigner: VulnCheck
Published:
Updated: 2025-12-24T19:58:17.386Z
Reserved: 2025-04-15T19:15:22.599Z
Link: CVE-2025-34412
Vulnrichment
Updated:
NVD
Status : Rejected
Published: 2025-12-15T15:15:50.147
Modified: 2025-12-24T20:15:55.123
Link: CVE-2025-34412
Redhat
No data.
OpenCVE Enrichment
Updated: 2025-12-16T20:45:36Z
No weakness.