CVE-2025-6078

Vulnerability

CVE-2025-6078 describes a stored cross-site scripting (XSS) vulnerability in Partner Software and Partner Web applications. The root cause is insufficient sanitization of user-supplied input on the Notes page when viewing a job. An authenticated user can include HTML tags and JavaScript in a note, which is then stored and rendered without proper escaping [1][2].

Exploitation

To exploit this vulnerability, an attacker must have valid credentials for the affected application. Once authenticated, the attacker navigates to the Notes page within a job view and submits a note containing malicious JavaScript. No special privileges are required beyond being a standard authenticated user. The malicious script is stored server-side and executed in the browsers of other users when they view the same job's notes [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of other users' sessions. This can lead to session hijacking, theft of sensitive data, or further manipulation of the application. The impact is amplified because the products are used by municipalities, state government, and private contractors for field work, potentially exposing sensitive operational information [1][2].

Mitigation

At the time of publication, no patch has been confirmed. System administrators should implement input sanitization and output encoding for all note fields, limit note creation permissions to trusted users, and consider using a web application firewall (WAF) to filter malicious content. The vendor, Partner Software (a division of N. Harris Computer Corporation), has not yet released an official update addressing this vulnerability [1][2].