CVE-2019-19612 in RAQuest
Summary
by MITRE
** DISPUTED ** An issue was discovered in Halvotec RaQuest 10.23.10801.0. Several features of the application allow stored Cross-site Scripting (XSS). NOTE: the vendor does not recognize this issue and will not patch it.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/12/2025
The vulnerability identified as CVE-2019-19612 affects Halvotec RaQuest version 10.23.10801.0, representing a stored cross-site scripting flaw that poses significant security risks to users of this application. This issue falls under the category of persistent XSS vulnerabilities where malicious scripts can be injected into the application's data storage and subsequently executed whenever legitimate users access the affected content. The vulnerability stems from inadequate input validation and output sanitization mechanisms within the application's processing pipeline, allowing attackers to embed malicious JavaScript code within various application features that store user-supplied data. According to CWE-79, this vulnerability represents a classic cross-site scripting weakness where the application fails to properly encode or escape user-controllable data before rendering it in web pages, creating an environment where attackers can execute arbitrary scripts in the context of other users' browsers.
The operational impact of this stored XSS vulnerability extends beyond simple data theft or session hijacking, as it provides attackers with the capability to perform more sophisticated attacks including credential theft, data exfiltration, and privilege escalation within the application's environment. When legitimate users interact with pages containing the stored malicious content, their browsers execute the embedded scripts, potentially allowing attackers to steal session cookies, modify application data, or redirect users to malicious sites. The vulnerability's persistence means that once injected, the malicious code remains active until manually removed from the application's database, creating a long-term threat vector. This type of vulnerability aligns with ATT&CK technique T1531 which focuses on credential access through malicious code execution and data manipulation.
Security professionals should recognize that the vendor's refusal to acknowledge or patch this vulnerability creates a particularly concerning scenario where users remain exposed to potential exploitation without official remediation. The lack of vendor support for this issue means organizations must implement their own compensating controls to mitigate the risk, including network-level protections such as web application firewalls, input validation measures, and regular monitoring of application data for malicious content. Organizations should also consider implementing Content Security Policy headers to limit script execution capabilities and establish robust monitoring procedures to detect potential exploitation attempts. The vulnerability demonstrates the critical importance of vendor security responsibility and highlights the risks organizations face when dealing with unsupported software versions that contain known security flaws.