EQS Group Convercent Whistleblowing Platform Unauthenticated Customer Enumeration Vulnerability

A vulnerability exists in the Convercent Whistleblowing Platform, managed by EQS Group, through an unauthenticated API endpoint that exposes internal customer legal entity names. This endpoint, located at '/GetLegalEntity', allows remote attackers to enumerate Convercent tenants by querying with common legal suffix terms. The vulnerability reveals sensitive business relationships and compliance infrastructure, potentially facilitating targeted phishing or extortion attacks against organizations using the platform.

Impact

Exploitation of this vulnerability allows for unauthorized enumeration of Convercent customers, revealing internal legal entity names. This could lead to targeted attacks such as phishing or extortion, and exposes sensitive business and compliance information.

Reproduction

To reproduce this vulnerability, send a request to the '/GetLegalEntity' API endpoint without authentication. Include a 'searchText' parameter with common legal suffix terms such as 'plc', 'ag', 'sa', 'nv', 'ab', 'publ', 'oyj', or 'asa'. The response will include internal customer legal entity names, allowing for enumeration of organizations using the Convercent Whistleblowing Platform.

Remediation

EQS Group should remove or restrict the 'GetLegalEntity' API endpoint or require authentication to prevent customer enumeration. Additionally, a platform-wide review of cookie handling, tenant configuration, and load balancer behavior is recommended.