Descripción
The Convercent Whistleblowing Platform operated by EQS Group contains a protection mechanism failure in its browser and session handling. By default, affected deployments omit HTTP security headers such as Content-Security-Policy, Referrer-Policy, Permissions-Policy, Cross-Origin-Embedder-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy, implement incomplete clickjacking protections. The application also issues cookies with insecure or inconsistent attributes including duplicate ASP.NET_SessionId values, an affinity cookie missing the Secure attribute, mixed absent SameSite settings. These deficiencies weaken browser-side isolation integrity, increasing exposure to client-side attacks, fixation, cross-site leakage.
https://seclists.org/fulldisclosure/2025/Dec/4
https://www.convercent.com/
https://www.eqs.com/en-us/platform-convercent-clients/
https://www.vulncheck.com/advisories/convercent-whisteblowing-platform-protection-mechanism-failure-insecure-default-browser-and-session-controls
