CVE-2025-14580 is a medium-severity cross-site scripting (XSS) vulnerability identified in the Qualitor IT Service Management (ITSM) software, affecting all versions up to 8.24.73. The vulnerability resides in an unspecified function within the PHP file located at /Qualitor/html/bc/bcdocumento9/biblioteca/request/viewDocumento.php, specifically involving the manipulation of the 'cdscript' parameter. This parameter is insufficiently sanitized, allowing an attacker to inject malicious JavaScript code that executes in the context of a victim's browser when they access a crafted URL. The attack vector is remote and does not require prior authentication, although it does require user interaction to trigger the malicious script. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L - low privileges required), user interaction needed (UI:P), and limited impact on confidentiality and integrity (VC:N, VI:L), with no impact on availability. The vendor was notified directly and has since released patched versions to customers, though no public patch links are provided in the data. The vulnerability could be exploited to steal session cookies, perform actions on behalf of users, or redirect users to malicious sites, potentially leading to further compromise. No known exploits are currently reported in the wild, but public disclosure increases the risk of exploitation attempts. The vulnerability affects a wide range of versions, indicating a long-standing issue in the product's codebase. Organizations using Qualitor should verify their version and apply updates promptly to remediate this issue.

The primary impact of CVE-2025-14580 is the potential compromise of user confidentiality and integrity within affected Qualitor deployments. Successful exploitation allows attackers to execute arbitrary scripts in the context of authenticated users, potentially leading to session hijacking, credential theft, unauthorized actions, or phishing attacks. This can undermine trust in the affected service and lead to data leakage or unauthorized modifications of service requests or documentation managed by Qualitor. Since the vulnerability is remotely exploitable without authentication, any exposed Qualitor web interface is at risk, increasing the attack surface. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in environments where social engineering or phishing is feasible. The vulnerability does not affect availability directly but could be leveraged as part of a broader attack chain. Organizations relying on Qualitor for ITSM processes may experience operational disruptions or compliance issues if sensitive information is compromised. The medium CVSS score reflects moderate risk but should not lead to complacency given the public disclosure and ease of exploitation.

To mitigate CVE-2025-14580, organizations should immediately identify all instances of Qualitor in their environment and verify the version in use. The primary recommendation is to apply the vendor-provided patches or upgrade to the fixed version beyond 8.24.73 as soon as possible. If immediate patching is not feasible, implement web application firewall (WAF) rules to detect and block suspicious requests containing malicious scripts targeting the 'cdscript' parameter. Conduct thorough input validation and output encoding on all user-supplied data within custom integrations or extensions to Qualitor. Educate users about the risks of clicking on unsolicited links and implement security awareness training to reduce the likelihood of successful social engineering. Monitor logs for unusual activity or repeated access attempts to the vulnerable endpoint. Additionally, restrict access to the Qualitor web interface to trusted networks or VPNs to reduce exposure. Regularly review and update security controls and perform penetration testing to identify residual risks. Finally, maintain an incident response plan to quickly address any exploitation attempts.