https://labs.sra.io/tags/cve-2025-12874/ Recent content in CVE-2025-12874 on SRA Labs Hugo -- gohugo.io en-us Fri, 19 Dec 2025 12:00:00 +0000 https://labs.sra.io/posts/questcoexistence/ Fri, 19 Dec 2025 12:00:00 +0000 https://labs.sra.io/posts/questcoexistence/ <h1 id="summary">Summary</h1> <p>SRA has identified a vulnerability in Quest Coexistence Manager for Notes that can lead to bypassing access controls, poisoning web caches, hijacking sessions, or triggering unintended internal requests.</p> <h1 id="cve-identifiers">CVE Identifiers</h1> <table> <thead> <tr> <th>CVE ID</th> <th>CVE Name</th> </tr> </thead> <tbody> <tr> <td>CVE-2025-12874</td> <td>HTTP Request Smuggling in Quest Coexistence Manager for Notes</td> </tr> </tbody> </table> <h1 id="vulnerability-details--description">Vulnerability Details / Description</h1> <p>Quest Coexistence Manager for Notes (3.8.2045) is vulnerable in the Free/Busy Connector to HTTP request smuggling from an unauthenticated remote attacker. The front-end and back-end components rely on inconsistent header parsing, resulting in desynchronized request boundaries. In this case, the front-end server uses the <code>Content-Length</code> header to determine the end of the request body, forwarding the full request. The back-end server interprets the request using <code>Transfer-Encoding: chunked</code>, processing only the first chunk (declared as zero-length) and treating the remaining bytes as a new, separate request. The attacker embeds a second, hidden request in the body of the original message. Due to the parsing mismatch, this smuggled request is processed independently by the back-end server.</p> <h1 id="summary">Summary</h1> <p>SRA has identified a vulnerability in Quest Coexistence Manager for Notes that can lead to bypassing access controls, poisoning web caches, hijacking sessions, or triggering unintended internal requests.</p> <h1 id="cve-identifiers">CVE Identifiers</h1> <table> <thead> <tr> <th>CVE ID</th> <th>CVE Name</th> </tr> </thead> <tbody> <tr> <td>CVE-2025-12874</td> <td>HTTP Request Smuggling in Quest Coexistence Manager for Notes</td> </tr> </tbody> </table> <h1 id="vulnerability-details--description">Vulnerability Details / Description</h1> <p>Quest Coexistence Manager for Notes (3.8.2045) is vulnerable in the Free/Busy Connector to HTTP request smuggling from an unauthenticated remote attacker. The front-end and back-end components rely on inconsistent header parsing, resulting in desynchronized request boundaries. In this case, the front-end server uses the <code>Content-Length</code> header to determine the end of the request body, forwarding the full request. The back-end server interprets the request using <code>Transfer-Encoding: chunked</code>, processing only the first chunk (declared as zero-length) and treating the remaining bytes as a new, separate request. The attacker embeds a second, hidden request in the body of the original message. Due to the parsing mismatch, this smuggled request is processed independently by the back-end server.</p> <p><strong>Severity</strong></p> <p>The CVSS base score of this vulnerability has been calculated to be 6.3 (Medium).</p> <p>CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/U:Clear</p> <h1 id="affected-versions-and-models">Affected Versions and Models</h1> <p>Quest Coexistence Manager for Notes 3.8.2045</p> <h1 id="mitre-cwe-weakness-enumeration">MITRE CWE Weakness Enumeration</h1> <p>CWE-444: Inconsistent Interpretation of HTTP Requests</p> <h1 id="remediation-options">Remediation Options</h1> <p>Update Quest Coexistence Manager for Notes to latest version.</p> <h1 id="source">Source</h1> <p>This vulnerability was discovered by Cam Lischke as part of research performed by Security Risk Advisors.</p> <h1 id="timeframe">Timeframe</h1> <ul> <li>November 3, 2025 – SRA submits vulnerability support case to Quest.</li> <li>November 4 through November 7, 2025 – SRA submits details of vulnerability to Quest.</li> <li>December 9, 2025 – SRA notifies Quest of intent to publicly disclose.</li> <li>December 12, 2025 – Quest acknowledges intent to publicly disclose.</li> <li>December 17, 2025 – Quest notifies SRA of intent to create a knowledge base article for Quest Support Portal</li> </ul>