CVE-2025-34412

Name of the Vulnerable Software and Affected Versions Convercent Whistleblowing Platform versions (affected versions not specified)

Description The application exhibits a protection mechanism failure in browser and session handling. It lacks essential HTTP security headers, including Content-Security-Policy, Referrer-Policy, Permissions-Policy, Cross-Origin-Embedder-Policy, Cross-Origin-Opener-Policy, and Cross-Origin-Resource-Policy. Clickjacking protections are incomplete, and session cookies are issued with insecure attributes, such as duplicate ASP.NET SessionId values, a missing Secure attribute for the affinity cookie, and inconsistent SameSite settings. These issues weaken browser isolation and session integrity, potentially leading to client-side attacks, session fixation, and cross-site session leakage.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.