CVE-2025-34412 in Convercent Whistleblowing Platforminfo

Summary

by MITRE • 12/15/2025

The Convercent Whistleblowing Platform operated by EQS Group contains a protection mechanism failure in its browser and session handling. By default, affected deployments omit HTTP security headers such as Content-Security-Policy, Referrer-Policy, Permissions-Policy, Cross-Origin-Embedder-Policy, Cross-Origin-Opener-Policy, and Cross-Origin-Resource-Policy, and implement incomplete clickjacking protections. The application also issues session cookies with insecure or inconsistent attributes by default, including duplicate ASP.NET_SessionId values, an affinity cookie missing the Secure attribute, and mixed or absent SameSite settings. These deficiencies weaken browser-side isolation and session integrity, increasing exposure to client-side attacks, session fixation, and cross-site session leakage.

Be aware that VulDB is the high quality source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsible

VulnCheck

Reservation

04/15/2025

Disclosure

12/15/2025

Moderation

revoked

Entry

VDB-336469

CPE

ready

CWE

CWE-693 (confirmed)

CVSS

7.3 (VulDB)

EPSS

0.00000

KEV

Activities

very low

Sources

MITRE	https://www.cve.org/CVERecord?id=CVE-2025-34412
NVD	https://nvd.nist.gov/vuln/detail/CVE-2025-34412
CVE Details	https://www.cvedetails.com/cve/CVE-2025-34412/

◂ Previous Overview Next ▸

Do you know our Splunk app?

Download it now for free!