Share
## https://sploitus.com/exploit?id=PACKETSTORM:167706
EQS Integrity Line: Multiple Vulnerabilities  
  
Name Multiple Vulnerabilities in EQS Integrity Line  
Systems Affected EQS Integrity Line through 2022-07-01  
Severity High  
Impact (CVSSv2) High 8.8/10, score: (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)  
Vendor EQS Group AG (https://www.eqs.com/)  
Advisory http://www.ush.it/team/ush/advisory-eqs-integrity-line/eqs_integrity_line.txt  
Authors Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it)  
Date 20220706  
  
I. BACKGROUND  
  
EQS Integrity Line is a proprietary whistleblowing software which enables  
employees to report misconduct such as corruption, abuses of power and  
discrimination internally before complaints become public and, in serious  
cases, result in financial losses as well as reputational damage.  
  
II. DESCRIPTION  
  
Multiple Vulnerabilities exist in EQS Integrity Line software.  
  
The present advisory highlights two distinct vulnerabilities, namely (A)  
XSS Vulnerability (stored) [CVE-2022-34007] and (B) Use of GET Request  
Method With Sensitive Query Strings [CWE-598].  
  
III. ANALYSIS  
  
A) XSS Vulnerability (stored) [CVE-2022-34007]  
  
EQS Integrity Line through 2022-07-01 allows a stored XSS via a crafted  
whistleblower entry.  
  
In order to exploit this vulnerability no account is required on the  
whistleblowing software.  
  
The vulnerability resides in the whistleblowing questionnaire  
implementation that enables anonymous, non authenticated, users to inject  
malicious XSS vectors due to missing or improper input sanitization.  
Also content security policies (CSP) that could prevent or limit the attack  
are absent.  
  
The vulnerability is present on the whistleblowing form, and can be  
triggered using the following example input:  
  
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--  
  
<img src= onerror=alert(document.cookie)>  
  
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--  
  
Due to the vulnerability, an attacker posing as a whistleblower could  
upload an XSS vector in the submission form loading malicious code to be  
reflected and executed in the context of the browser session of the  
Recipient of the submission, that is typically an Anticorruption Officer  
or an Internal Auditor.  
  
Being able to execute code in the context of the target, and due to the  
absence of additional mitigations (e.g. the HttpOnly flag for cookies)  
the attacker could possibly obtain a copy of the target session cookie  
useful to impersonate and operate in place of the target user and  
execute automated operations on behalf of the target user by accessing  
all the reports present on the system or possibly impact the integrity  
of the system by deleting reports or interfering with ongoing  
communications with a real whistleblower.  
  
In short: a standard XSS attack scenario.  
  
The test for the presence of this vulnerability has been performed on the  
first input only, to not risk to cause any damage to the application.  
It is advised to execute a proper complete audit of the application with  
respect to this kind of vulnerability.  
  
The vulnerability was first identified performing an independent security  
audit to evaluate and ensure the security of the EU Sanctions Whistleblower  
Tool of the European Commission enabling whistleblowers to report possible  
violation of EU sanctions hosted at:  
  
https://eusanctions.integrityline.com/  
  
B) Use of GET Request Method With Sensitive Query Strings [CWE-598]  
  
EQS Integrity Line through 2022-07-01 leaves sensitive traces in the browser  
history of whistleblowers using the application and possibly in the logs  
of other network appliances involved in the communication.  
  
When a whistleblower makes a submission, the system assigns a unique  
identifier to the submission and enables to choose a pin that is intended  
to be used by users in combination with the unique identifier to access  
the system in order to communicate with the recipients of their own report.  
  
The implementation of the session makes use of GET variables that include  
the unique identifier in the navigated URL to access the report.  
Such an implementation is prone to sensible information leakage making it  
possible for an auditor accessing the browser history of the  
whistleblower's device to clearly identify the evidence of a performed  
submission.  
  
It is advised to perform full review of the application to get sure that  
the application reduces the sensible traces left in the browser history of  
the user.  
  
IV. WORKAROUND  
  
The vendor has fixed the XSS and implemented a CSP in date 2022-07-01  
  
V. CVE INFORMATION  
  
XSS Vulnerability (stored) [CVE-2022-34007]  
Use of GET Request Method With Sensitive Query Strings [CWE-598]  
  
VI. DISCLOSURE TIMELINE  
  
20220617 USH: Bugs discovered  
20220617 USH: Contacted Mitre for CVE Assignment  
20220621 USH: First vendor contact (Lorenzo Trevisiol, Laura Santeusanio)  
20220622 USH: Advisory provided to the vendor (Goran Kozomara)  
20220701 Vendor response: XSS confirmed and CSP implemented (Marco Ermini)  
The vendor does not acknowledge the second reported vulnerability  
in the specific context of use but has planned future improvement  
the application of the application replacing the GET request with  
a POST request.  
20220701 USH: The team confirms prompt and effective remediation of the  
XSS vulnerability but points out suboptimal CSP implementation.  
The implementation seems to involve a central proxy or device and  
to always include a list of 10 vendor clients and other third  
parties CDN probably used for other reasons different from the  
audited integrity line app (e.g. bootstrap CDN). The team advises  
to implement a policy per-site and app to avoid listing sensible  
resources and limit any possible exposure.  
20220701 Advisory release scheduled for 20220706  
20220706 Advisory released  
  
VII. REFERENCES  
  
[1] EQS Integrity Line: Multiple Vulnerabilities  
http://www.ush.it/team/ush/advisory-eqs-integrity-line/eqs_integrity_line.txt  
  
VIII. CREDIT  
  
Giovanni Pellerano, is credited with the discovery of this vulnerability.  
  
Giovanni Pellerano  
web site: http://www.ush.it/  
mail: evilaliv3@ush.it  
  
IX. LEGAL NOTICES  
  
Copyright (c) 2022 Giovanni Pellerano  
  
Permission is granted for the redistribution of this alert  
electronically. It may not be edited in any way without mine express  
written consent. If you wish to reprint the whole or any  
part of this alert in any other medium other than electronically,  
please email me for permission.  
  
Disclaimer: The information in the advisory is believed to be accurate  
at the time of publishing based on currently available information. Use  
of the information constitutes acceptance for use in an AS IS condition.  
There are no warranties with regard to this information. Neither the  
author nor the publisher accepts any liability for any direct, indirect,  
or consequential loss or damage arising from use of, or reliance on,  
this information.