Convercent Whistleblowing Platform Protection Mechanism Failure and Insecure Session Handling Vulnerability

A vulnerability exists in the Convercent Whistleblowing Platform, managed by EQS Group, due to a failure in session and browser handling mechanisms. Affected deployments typically lack essential HTTP security headers, such as Content-Security-Policy and Referrer-Policy, and have inadequate clickjacking defenses. Additionally, the platform issues session cookies with insecure or inconsistent attributes, including duplicate ASP.NET_SessionId values, an affinity cookie without the Secure attribute, and mixed or absent SameSite settings. These vulnerabilities compromise session integrity and browser-side isolation, heightening the risk of client-side attacks, session fixation, and cross-site session leakage.

Impact

The vulnerabilities lead to session fixation, cookie manipulation, and cross-origin issues, allowing for unauthorized actions and the potential exposure of sensitive metadata and customer identity details.

Reproduction

The vulnerability can be reproduced by accessing a Convercent Whistleblowing Platform instance and observing the default HTTP security headers, session cookie attributes, and clickjacking protections. The unauthenticated API endpoint that leaks customer legal entities can be accessed by sending a request with common legal-suffix search terms.

Remediation

Convercent should implement modern security headers, revise its HSTS configuration, ensure proper session cookie management, enhance clickjacking protections, and address the customer enumeration vulnerability by securing the API endpoint.