Full Disclosure mailing list archives

Hello Yuffie,

Upon further investigation, the VulnCheck CNA determined that these
vulnerabilities were not suitable for CVE assignment. The
vulnerabilities exist within a SaaS product and are mitigated at the
CSP-level which in this case, would be the vendor, EQS Group. Rather than
contribute unactionable CVE records, the VulnCheck CNA used its
discretionary prowess to move forward with rejecting these records. This
policy aligns with a 2022 blog from MITRE
<https://www.cve.org/Media/News/item/blog/2022/09/13/Dispelling-the-Myth-CVE-ID>.
It
should be noted that the vendor informed us that they have published
advisories for the respective vulnerabilities in their "Trust Center"
customer portal.

These actions should not be a deterrent for you to pursue CVE assignment
through MITRE or another research CNA.

Best regards,

<https://www.vulncheck.com/>

Wade Sparks III
VulnCheck
Senior Vulnerability Analyst


On Tue, Jan 20, 2026 at 12:13 PM Yuffie Kisaragi <
yuffie.kisaragi () atomicmail io> wrote:

Dear Art,

Thank you for sharing your detailed evaluation and for pointing out the
relevant sections of the CNA Rules.

Your argument is well reasoned, particularly with respect to the current
guidance on SaaS and exclusively hosted services.

I have forwarded your evaluation to the CNA for further consideration. It
will also be important to understand the vendor’s perspective in light of
the points you raised, especially regarding the applicability of the
“exclusively-hosted-service” tag and the removal of prior restrictions.

We look forward to receive transparent feedback from the CNA and/or the
vendor.

To date, the vendor has remained silent with regard to informing their
users about the reported issues. As far as we can determine, no public
advisory or user-facing communication has been issued via their
vulnerability reporting channel (
https://www.eqs.com/report-a-vulnerability/) or elsewhere.

Best regards,

Yuffie

On Tue, Jan 20, 2026 at 7:26 PM <zmanion () protonmail com> wrote:

Hi,

the vulnerabilities are no longer considered eligible for CVE tracking,

despite being real, independently discovered, responsibly disclosed, and
acknowledged by the vendor.
CVE IDs *can* be assigned for SaaS or similarly "cloud only" software.
For a period of time, there was a restriction that only the provider could
make or request such an assignment. But the current CVE rules remove this
restriction:

4.2.3 CNAs MUST NOT consider the type of technology (e.g., cloud,
on-premises, artificial intelligence, machine learning) as the sole basis
for determining assignment.

It would have been acceptable (even preferred) to leave CVE-2025-34411
and CVE-2025-34412 published and identify them as affecting an
"exclusively-hosted-service:"

5.1.11.1 (A CVE Record) MUST use the “exclusively-hosted-service” tag
when all known Products listed in the CVE Record exist only as fully hosted
services. If the Vulnerability affects both hosted services and on-premises
Products, then this tag MUST NOT be used.

Rules: https://www.cve.org/resourcessupport/allresources/cnarules

Regards,

- Art

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group) Yuffie Kisaragi via Fulldisclosure (Jan 05)
  • <Possible follow-ups>
  • Re: Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group) Wade Sparks (Jan 21)