Full Disclosure mailing list archives

Dear Art,




Thank you for sharing your detailed evaluation and for pointing out the relevant
sections of the CNA Rules.




Your argument is well reasoned, particularly with respect to the current
guidance on SaaS and exclusively hosted services.




I have forwarded your evaluation to the CNA for further consideration. It will
also be important to understand the vendor’s perspective in light of the points
you raised, especially regarding the applicability of the
“exclusively-hosted-service” tag and the removal of prior restrictions.



We look forward to receive transparent feedback from the CNA and/or the vendor.


To date, the vendor has remained silent with regard to informing their users
about the reported issues. As far as we can determine, no public advisory or
user-facing communication has been issued via their vulnerability reporting
channel () or elsewhere.


Best regards,


Yuffie


On Tue, Jan 20, 2026 at 7:26 PM <> wrote:

Hi,

the vulnerabilities are no longer considered eligible for CVE tracking,

despite being real, independently discovered, responsibly disclosed, and
acknowledged by the vendor.
CVE IDs *can* be assigned for SaaS or similarly "cloud only" software. For a
period of time, there was a restriction that only the provider could make or
request such an assignment. But the current CVE rules remove this restriction:

4.2.3 CNAs MUST NOT consider the type of technology (e.g., cloud, on-premises,
artificial intelligence, machine learning) as the sole basis for determining
assignment.

It would have been acceptable (even preferred) to leave CVE-2025-34411 and
CVE-2025-34412 published and identify them as affecting an
"exclusively-hosted-service:"

5.1.11.1 (A CVE Record) MUST use the “exclusively-hosted-service” tag when all
known Products listed in the CVE Record exist only as fully hosted services.
If the Vulnerability affects both hosted services and on-premises Products,
then this tag MUST NOT be used.

Rules: https://www.cve.org/resourcessupport/allresources/cnarules

Regards,

- Art

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group) Yuffie Kisaragi via Fulldisclosure (Jan 05)
  • <Possible follow-ups>
  • Re: Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group) Marco Ermini via Fulldisclosure (Jan 26)
  • Re: Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group) Yuffie Kisaragi via Fulldisclosure (Jan 26)
    • Re: Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group) Wade Sparks (Jan 21)