Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group)

[Yuffie Kisaragi via Fulldisclosure <fulldisclosure () seclists org>]

Advisory ID: CONVERCENT-2025-001
Title: Multiple Security Misconfigurations and Customer Enumeration Exposure in
Convercent Whistleblowing Platform (EQS Group)
Date: 2025-12-04
Vendor: EQS Group
Product: Convercent Whistleblowing Platform (app.convercent.com)
Severity: Critical
CVSS v4.0 Base Score: 9.3
Vector: AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Summary

A series of security weaknesses were identified in the Convercent whistleblowing
platform operated by EQS Group. These issues include missing critical HTTP
security headers, insecure and duplicated session cookies, inconsistent SameSite
attributes, incomplete clickjacking protection, and an unauthenticated API
endpoint that leaks internal customer legal entities. The vulnerabilities were
observed on multiple customer instances (e.g., Milliman, Röchling Group,
BorgWarner) demonstrating that the weaknesses affect multiple Convercent tenants
and appear systemic.


Because Convercent processes sensitive whistleblower reports, internal
misconduct disclosures, and protected-identity information, these
vulnerabilities pose a severe risk to confidentiality, integrity, and
operational privacy.


Findings

1. Missing Critical Security Headers

The platform does not send several essential browser security headers,
including:

- Content-Security-Policy
- Referrer-Policy
- Permissions-Policy
- Cross-Origin-Embedder-Policy
- Cross-Origin-Opener-Policy
- Cross-Origin-Resource-Policy

The lack of these protections leaves Convercent pages vulnerable to cross-site
scripting, clickjacking, browser API misuse, cross-origin data leakage, and
weakened process isolation.

2. Weak HSTS Configuration and Formatting Issues

The platform currently sends the following Strict-Transport-Security header:

- Strict-Transport-Security: max-age=86400;includeSubDomains

This configuration uses an unusually small max-age value (24 hours), causing
browsers to quickly discard the HTTPS-only policy and leaving users vulnerable
to downgrade and SSL-stripping attacks. The missing space after the semicolon
(;includeSubDomains) is not an RFC violation but may affect parsing reliability
in certain intermediaries or older clients, reducing consistency and enforcement
of security expectations.

A more robust and industry-aligned configuration would be:
- Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

This longer duration, proper formatting, and optional preload directive provide
stronger, long-term HTTPS enforcement appropriate for a high-sensitivity
whistleblowing platform.

3. Duplicate Session Cookies
Multiple instances were found issuing two identical ASP.NET_SessionId cookies.

Duplicate session cookies may cause authentication instability, session override
conditions, and session fixation. This constitutes a protection mechanism
failure (CWE-693) and may indicate inconsistent load balancer or
application-layer handling.

4. Missing Secure Attribute on Affinity Cookie

One affinity cookie (ApplicationGatewayAffinity) lacked the Secure attribute,
exposing session metadata to potential interception on non-encrypted channels.
This is a serious misconfiguration for a system that handles sensitive
disclosures.

5. Inconsistent SameSite Attributes

Cookies within the platform defined mixed or absent SameSite values.

Such inconsistency may permit cross-site request leakage, session forwarding to
unintended origins, and unpredictable behavior in modern browsers. This
increases exposure to CSRF and related session compromise risks.

6. Incomplete Clickjacking Protection

The platform sets X-Frame-Options twice but does not define modern framing
restrictions using Content-Security-Policy’s frame-ancestors directive. As a
result, clickjacking protection is incomplete and can be bypassed.

7. Customer Enumeration via Unauthenticated API Endpoint

An unauthenticated API endpoint was found:

https://app.convercent.com/en-US/Anonymous/IssueIntake/GetLegalEntity?searchText=

This endpoint returns internal customer legal entities based on the supplied
search fragment.

By querying the endpoint with common legal-suffix search terms such as “plc”,
“ag”, “sa”, “nv”, “ab”, “publ”, “oyj”, “asa”, it is possible to identify
publicly traded companies using Convercent. Since these suffixes correspond to
stock-quoted entities across various jurisdictions, attackers can derive a
meaningful portion of Convercent’s publicly listed customers.


E.g.:
-
https://app.convercent.com/en-US/Anonymous/IssueIntake/GetLegalEntity?searchText=plc
-
https://app.convercent.com/en-US/Anonymous/IssueIntake/GetLegalEntity?searchText=ag
-
https://app.convercent.com/en-US/Anonymous/IssueIntake/GetLegalEntity?searchText=sa
-
https://app.convercent.com/en-US/Anonymous/IssueIntake/GetLegalEntity?searchText=nv
-
https://app.convercent.com/en-US/Anonymous/IssueIntake/GetLegalEntity?searchText=ab
-
https://app.convercent.com/en-US/Anonymous/IssueIntake/GetLegalEntity?searchText=publ
-
https://app.convercent.com/en-US/Anonymous/IssueIntake/GetLegalEntity?searchText=oyj
-
https://app.convercent.com/en-US/Anonymous/IssueIntake/GetLegalEntity?searchText=asa

Critical Implications of Customer Enumeration

- Identification of organizations using the platform, even when such information
is not publicly disclosed;
- Construction of target lists for phishing, insider-trading intelligence,
extortion attempts, or regulatory exploitation;
- Exposure of sensitive business relationships and internal compliance
structures;
- Automated harvesting of thousands of customer entities through scriptable,
unauthenticated queries;
- Violation of expected confidentiality surrounding whistleblower
infrastructure, which is often deliberately undisclosed.

Impact

Confidentiality: High
Sensitive metadata, session information, and customer identity details can be
disclosed.

Integrity: High
Session fixation, cookie manipulation, and framing attacks could enable
unauthorized actions.

Availability: No
The vulnerabilities do not directly impair availability.

Scope: Changed
The absence of COOP/COEP and the presence of cross-origin weaknesses enable
privilege extension beyond the originating tenant.

Given the nature of data processed by whistleblowing systems, these weaknesses
represent a critical failure of security design and operational hardening.


Mitigation

The Convercent platform should implement the following:


Enforce modern security headers:

- Content-Security-Policy
- Referrer-Policy
- Permissions-Policy
- COEP, COOP, CORP


Revices HTSTS configuration.

Ensure only one session cookie is issued and add Secure and consistent SameSite
attributes to all cookies.

Implement proper clickjacking protection using CSP frame-ancestors.

Remove or restrict the GetLegalEntity API endpoint or require authentication to
prevent customer enumeration.

Conduct a platform-wide review of cookie handling, tenant configuration, and
load balancer behavior.


Affected Examples

Publicly reachable Convercent instances exhibiting similar behavior include:

Milliman
https://app.convercent.com/en-US/LandingPage/c9d65965-b01f-ec11-a985-000d3ab9f062


Röchling Group
https://app.convercent.com/en-us/Anonymous/IssueIntake/LandingPage/06ab7f15-a3ab-ed11-a99a-000d3ab9f062


BorgWarner
https://app.convercent.com/en-us/Anonymous/IssueIntake/IdentifyOrganization


These examples illustrate that the vulnerabilities are not isolated to a single
tenant but reflect systemic issues across the Convercent platform.


Vendor Status

As of 2025-12-04, no mitigation has been observed. The vendor has not responded
to this disclosure.


Timeline:

2025-09-12 - Vulnerability discovered
2025-09-12 - Vendor contacted at security-vulnerability () eqs com using
responsible disclosure as for https://www.eqs.com/report-a-vulnerability/ (no
response)
2025-11-13 - Second vendor contact (no response)
2025-12-04 - Public disclosure


References

- OWASP Top 10 – A05:2021 Security Misconfiguration
- CWE-693: Protection Mechanism Failure
- NIST SP 800-53 Rev. 5 – SC-34, SC-18
- ISO/IEC 27001:2022 – 8.25 and 8.28


Disclaimer

All research supporting this advisory relied only on publicly available
endpoints and did not involve probing, exploitation, or any action that could
impact system integrity or user privacy. The intent of this publication is to
promote safer and more resilient security environments.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/