CVE-2025-34412 - Vulnerability Details

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because it identified a vulnerability in a SaaS product that does not require user action.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Eqs Subscribe	Convercent Whistleblowing Platform Subscribe

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Eqs Subscribe	Convercent Whistleblowing Platform Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

No reference.

History

Wed, 24 Dec 2025 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-693
References	https://seclists.org/fulldisclosure/2025/Dec/4 https://www.convercent.com/ https://www.eqs.com/en-us/platform-convercent-clients/ https://www.vulncheck.com/advisories/convercent-whisteblowing-platform-protection-mechanism-failure-insecure-default-browser-and-session-controls
Metrics	cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}`

Wed, 24 Dec 2025 20:15:00 +0000

Type	Values Removed	Values Added
Title	Convercent Whistleblowing Platform Protection Mechanism Failure Insecure Default Browser & Session Controls
Metrics	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 24 Dec 2025 20:00:00 +0000

Type	Values Removed	Values Added
Description	The Convercent Whistleblowing Platform operated by EQS Group contains a protection mechanism failure in its browser and session handling. By default, affected deployments omit HTTP security headers such as Content-Security-Policy, Referrer-Policy, Permissions-Policy, Cross-Origin-Embedder-Policy, Cross-Origin-Opener-Policy, and Cross-Origin-Resource-Policy, and implement incomplete clickjacking protections. The application also issues session cookies with insecure or inconsistent attributes by default, including duplicate ASP.NET_SessionId values, an affinity cookie missing the Secure attribute, and mixed or absent SameSite settings. These deficiencies weaken browser-side isolation and session integrity, increasing exposure to client-side attacks, session fixation, and cross-site session leakage.	This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because it identified a vulnerability in a SaaS product that does not require user action.
Metrics	cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}`	cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}`

Tue, 16 Dec 2025 21:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Eqs Eqs convercent Whistleblowing Platform
Vendors & Products		Eqs Eqs convercent Whistleblowing Platform

Mon, 15 Dec 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 15 Dec 2025 15:00:00 +0000

Type	Values Removed	Values Added
Description		The Convercent Whistleblowing Platform operated by EQS Group contains a protection mechanism failure in its browser and session handling. By default, affected deployments omit HTTP security headers such as Content-Security-Policy, Referrer-Policy, Permissions-Policy, Cross-Origin-Embedder-Policy, Cross-Origin-Opener-Policy, and Cross-Origin-Resource-Policy, and implement incomplete clickjacking protections. The application also issues session cookies with insecure or inconsistent attributes by default, including duplicate ASP.NET_SessionId values, an affinity cookie missing the Secure attribute, and mixed or absent SameSite settings. These deficiencies weaken browser-side isolation and session integrity, increasing exposure to client-side attacks, session fixation, and cross-site session leakage.
Title		Convercent Whistleblowing Platform Protection Mechanism Failure Insecure Default Browser & Session Controls
Weaknesses		CWE-693
References		https://seclists.org/fulldisclosure/2025/Dec/4 https://www.convercent.com/ https://www.eqs.com/en-us/platform-convercent-clients/ https://www.vulncheck.com/advisories/convercent-whisteblowing-platform-protection-mechanism-failure-insecure-default-browser-and-session-controls
Metrics		cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: REJECTED

Assigner: VulnCheck

Published: 2025-12-15T14:44:13.924Z

Updated: 2025-12-24T19:58:17.386Z

Reserved: 2025-04-15T19:15:22.599Z

Link: CVE-2025-34412

Vulnrichment

Updated:

NVD

Status : Rejected

Published: 2025-12-15T15:15:50.147

Modified: 2025-12-24T20:15:55.123

Link: CVE-2025-34412

Redhat

No data.

OpenCVE Enrichment

Updated: 2025-12-16T20:45:36Z

Weaknesses

No weakness.

Metrics

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object