[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FD] Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group)
- To: fulldisclosure@xxxxxxxxxxxx, yuffie.kisaragi@xxxxxxxxxxxxx
- Subject: Re: [FD] Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group)
- From: Art Manion via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
- Date: Thu, 08 Jan 2026 18:26:44 +0000
Hi,
> the vulnerabilities are no longer considered eligible for CVE tracking,
> despite being real, independently discovered, responsibly disclosed, and
> acknowledged by the vendor.
CVE IDs *can* be assigned for SaaS or similarly "cloud only" software. For a
period of time, there was a restriction that only the provider could make or
request such an assignment. But the current CVE rules remove this restriction:
4.2.3 CNAs MUST NOT consider the type of technology (e.g., cloud, on-premises,
artificial intelligence, machine learning) as the sole basis for determining
assignment.
It would have been acceptable (even preferred) to leave CVE-2025-34411 and
CVE-2025-34412 published and identify them as affecting an
"exclusively-hosted-service:"
5.1.11.1 (A CVE Record) MUST use the “exclusively-hosted-service” tag when all
known Products listed in the CVE Record exist only as fully hosted services. If
the Vulnerability affects both hosted services and on-premises Products, then
this tag MUST NOT be used.
Rules: https://www.cve.org/resourcessupport/allresources/cnarules
Regards,
- Art
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/