CVE-2025-30087 is a high-severity Cross-Site Scripting (XSS) vulnerability affecting Best Practical's Request Tracker (RT) versions 4.4.0 through 4.4.7 and 5.0.0 through 5.0.7. RT is a widely used open-source ticketing system for issue tracking and customer support. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically through crafted parameters injected into search URLs. This flaw allows an unauthenticated attacker to inject malicious scripts into the web interface, which are then executed in the context of the victim's browser when they access the manipulated URL. The CVSS 3.1 base score of 7.2 reflects that the attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and has a scope change (S:C), with low impact on confidentiality and integrity but no impact on availability. Exploiting this vulnerability could enable attackers to steal session cookies, perform actions on behalf of users, or conduct phishing attacks within the RT environment. Although no known exploits are currently reported in the wild, the vulnerability's presence in multiple supported RT versions and the lack of available patches at the time of disclosure increase the risk profile. The vulnerability affects core RT functionality, potentially impacting all users who access the affected search features. Given RT's role in managing sensitive support tickets and internal workflows, exploitation could lead to unauthorized data exposure and manipulation of ticketing processes.

For European organizations using Best Practical RT, this vulnerability poses significant risks to the confidentiality and integrity of their support and issue tracking data. Many enterprises, government agencies, and service providers in Europe rely on RT for managing internal and customer-facing workflows. Successful exploitation could lead to session hijacking, unauthorized access to sensitive ticket information, and manipulation of ticket statuses or comments, undermining operational security and trust. The lack of required authentication lowers the barrier for attackers, increasing the likelihood of exploitation. Additionally, compromised RT instances could serve as pivot points for further attacks within organizational networks. The impact is particularly critical for sectors handling sensitive personal data under GDPR, as data breaches could result in regulatory penalties and reputational damage. The absence of known exploits currently provides a window for proactive mitigation, but organizations must act swiftly to prevent potential exploitation.

European organizations should immediately audit their RT installations to identify affected versions (4.4.0 through 4.4.7 and 5.0.0 through 5.0.7). In the absence of official patches, temporary mitigations include implementing strict input validation and output encoding on all user-supplied parameters, especially those used in search URLs. Web application firewalls (WAFs) should be configured to detect and block typical XSS payloads targeting RT. Organizations should also enforce the use of Content Security Policy (CSP) headers to restrict script execution sources, reducing the impact of injected scripts. Monitoring and logging access to RT search functionalities can help detect suspicious activities. User awareness training should emphasize caution when clicking on URLs received via email or other channels. Finally, organizations should maintain close contact with Best Practical for timely patch releases and apply updates promptly once available.