CVE-2025-9158 in Request Trackerinfo

Summary

by MITRE • 10/24/2025

The Request Tracker software is vulnerable to a Stored XSS vulnerability in calendar invitation parsing feature, which displays invitation data without HTML sanitization. XSS vulnerability allows an attacker to send a specifically crafted e-mail enabling JavaScript code execution by displaying the ticket in the context of the logged-in user.

This vulnerability affects versions from 5.0.4 through 5.0.8 and from 6.0.0 through 6.0.1.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 10/24/2025

The Request Tracker software presents a critical stored cross-site scripting vulnerability identified as CVE-2025-9158 within its calendar invitation parsing functionality. This flaw resides in the software's handling of calendar invitation data where the system fails to properly sanitize HTML content before displaying it to users. The vulnerability specifically impacts versions ranging from 5.0.4 through 5.0.8 and 6.0.0 through 6.0.1, creating a persistent security risk across multiple release branches. The flaw operates through a classic stored XSS attack vector where malicious actors can craft specially formatted email invitations containing embedded JavaScript payloads that execute when the invitation data is rendered within the application's user interface.

The technical mechanism of this vulnerability stems from inadequate input validation and output encoding within the calendar invitation processing module. When calendar invitations are parsed and displayed within the Request Tracker interface, the system does not perform proper HTML sanitization or context-appropriate encoding of the invitation data. This allows attackers to inject malicious scripts that can execute in the security context of authenticated users who view the affected calendar entries. The vulnerability is particularly dangerous because it leverages the legitimate calendar invitation feature to deliver malicious payloads, making it difficult for users to distinguish between benign and malicious content. The stored nature of this vulnerability means that once an attacker successfully injects malicious code through a crafted email invitation, the payload persists and executes every time the affected calendar entry is viewed by any authenticated user.

The operational impact of this vulnerability extends beyond simple script execution, potentially enabling attackers to perform a wide range of malicious activities within the compromised user context. An attacker could leverage this vulnerability to steal session cookies, redirect users to phishing sites, modify ticket data, or even escalate privileges within the system. The vulnerability creates a persistent threat that can affect multiple users over time, as any user who views the malicious calendar invitation will be subject to the stored XSS attack. The attack surface is particularly concerning because calendar invitations are typically trusted communications within enterprise environments, making social engineering attacks more effective when combined with this technical vulnerability. Organizations using affected versions of Request Tracker face significant risk of unauthorized data access, data manipulation, and potential system compromise through this vulnerability.

Security mitigations for CVE-2025-9158 should prioritize immediate version upgrades to patched releases where available, as this represents a critical vulnerability requiring prompt remediation. Organizations should implement strict input validation and output encoding measures within the calendar invitation parsing module to prevent unauthorized HTML content from being rendered. The implementation of content security policies and proper HTML sanitization libraries can help prevent script execution in calendar invitation displays. Additionally, network-level protections such as email filtering and web application firewalls can provide additional defense-in-depth measures. Regular security assessments of calendar and invitation handling components should be conducted, with particular attention to input validation and output encoding practices. This vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and represents a clear violation of secure coding practices that should be addressed through comprehensive security testing and code review processes. The ATT&CK framework categorizes this vulnerability under T1566 for phishing and T1059 for command and scripting interpreter, highlighting the multi-stage attack potential that this vulnerability enables within enterprise security environments.

Responsible

CERT-PL

Reservation

08/19/2025

Disclosure

10/24/2025

Moderation

accepted

CPE

ready

EPSS

0.00404

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!