Yuffie Kisaragi

**Name of the Vulnerable Software and Affected Versions** Convercent Whistleblowing Platform (affected versions not specified) **Description** The platform exposes an unauthenticated API endpoint at `/GetLegalEntity` that returns internal customer legal-entity names based on a supplied `searchText` fragment. An unauthenticated attacker can query this endpoint using common legal-suffix terms to enumerate Convercent tenants, identifying organizations using the platform. This disclosure can facilitate targeted phishing, extortion, or other attacks against whistleblowing programs and reveals sensitive business relationships and compliance infrastructure. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Convercent Whistleblowing Platform versions (affected versions not specified) **Description** The application exhibits a protection mechanism failure in browser and session handling. It lacks essential HTTP security headers, including Content-Security-Policy, Referrer-Policy, Permissions-Policy, Cross-Origin-Embedder-Policy, Cross-Origin-Opener-Policy, and Cross-Origin-Resource-Policy. Clickjacking protections are incomplete, and session cookies are issued with insecure attributes, such as duplicate ASP.NET SessionId values, a missing Secure attribute for the affinity cookie, and inconsistent SameSite settings. These issues weaken browser isolation and session integrity, potentially leading to client-side attacks, session fixation, and cross-site session leakage. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.