Quest Coexistence Manager for Notes
Summary⌗
SRA has identified a vulnerability in Quest Coexistence Manager for Notes that can lead to bypassing access controls, poisoning web caches, hijacking sessions, or triggering unintended internal requests.
CVE Identifiers⌗
| CVE ID | CVE Name |
|---|---|
| CVE-2025-12874 | HTTP Request Smuggling in Quest Coexistence Manager for Notes |
Vulnerability Details / Description⌗
Quest Coexistence Manager for Notes (3.8.2045) is vulnerable in the Free/Busy Connector to HTTP request smuggling from an unauthenticated remote attacker. The front-end and back-end components rely on inconsistent header parsing, resulting in desynchronized request boundaries. In this case, the front-end server uses the Content-Length header to determine the end of the request body, forwarding the full request. The back-end server interprets the request using Transfer-Encoding: chunked, processing only the first chunk (declared as zero-length) and treating the remaining bytes as a new, separate request. The attacker embeds a second, hidden request in the body of the original message. Due to the parsing mismatch, this smuggled request is processed independently by the back-end server.
Severity
The CVSS base score of this vulnerability has been calculated to be 6.3 (Medium).
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/U:Clear
Affected Versions and Models⌗
Quest Coexistence Manager for Notes 3.8.2045
MITRE CWE Weakness Enumeration⌗
CWE-444: Inconsistent Interpretation of HTTP Requests
Remediation Options⌗
Update Quest Coexistence Manager for Notes to latest version.
Source⌗
This vulnerability was discovered by Cam Lischke as part of research performed by Security Risk Advisors.
Timeframe⌗
- November 3, 2025 – SRA submits vulnerability support case to Quest.
- November 4 through November 7, 2025 – SRA submits details of vulnerability to Quest.
- December 9, 2025 – SRA notifies Quest of intent to publicly disclose.
- December 12, 2025 – Quest acknowledges intent to publicly disclose.
- December 17, 2025 – Quest notifies SRA of intent to create a knowledge base article for Quest Support Portal