Full Report
XSS vulnerability (CVE-2025-9158) has been found in Best Practical Request Tracker software.
Analysis Summary
# Vulnerability: Stored XSS in Best Practical Request Tracker Calendar Invitations
## CVE Details
- CVE ID: CVE-2025-9158
- CVSS Score: *Score information is not provided in the source.* (Severity: *Severity information is not provided in the source.*)
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting'))
## Affected Systems
- Products: Best Practical Request Tracker
- Versions: 5.0.4 through 5.0.8, and 6.0.0 through 6.0.1
- Configurations: In environments where calendar invitation parsing is utilized.
## Vulnerability Description
A Stored Cross-Site Scripting (XSS) vulnerability exists within the calendar invitation parsing feature of the Request Tracker software. The vulnerability arises because invitation data is displayed without adequate HTML sanitization. An attacker can craft a malicious email containing the cross-site scripting payload. When a user views the ticket displaying this crafted invitation, the embedded JavaScript code is executed in the context of the logged-in user's session.
## Exploitation
- Status: PoC available (Implied via published vulnerability disclosure, though explicit PoC status is not stated clearly, the nature of XSS typically implies basic PoC scenarios exist upon finding.)
- Complexity: Low (Standard Stored XSS execution via crafted input)
- Attack Vector: Network (Via specifically crafted email/ticket submission)
## Impact
- Confidentiality: Potential compromise (Session hijacking, data theft)
- Integrity: Potential compromise (Actions performed in the user's context)
- Availability: Low (No direct denial of service mentioned)
## Remediation
### Patches
- No specific patch versions were listed in the provided text. Users should consult the vendor advisory for patched versions (likely 5.0.9+ and 6.0.2+).
### Workarounds
- No specific workarounds were provided in the source text. Mitigation focuses on updating to patched versions.
## Detection
- Indicators of compromise would involve observing suspicious JavaScript execution within the Request Tracker interface when viewing ticket details, specifically those related to calendar invitations.
- Detection methods rely on WAS/SAST tools scanning for un-sanitized HTML output related to invitation parsing or monitoring application logs for unusual input during ticket creation/update.
## References
- Vendor advisory can be sought via CVE ID: https://www.cve.org/CVERecord?id=CVE-2025-9158
- CERT Polska CVD process information: https://cert.pl/en/cvd/