CVE-2025-6078 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting Partner Software's Partner Web application version 4.32. The vulnerability arises because the application allows authenticated users to add notes on a 'Notes' page associated with job views but fails to properly sanitize or neutralize HTML and JavaScript input. This improper input handling enables an attacker with valid credentials to inject malicious JavaScript code into notes. When other users or the same user view the affected notes page, the malicious script executes in their browsers within the context of the vulnerable web application. Stored XSS is particularly dangerous because the malicious payload is persistently stored on the server and served to multiple users, increasing the attack surface. The lack of a CVSS score indicates the vulnerability has been recently published (August 2025) and may not yet have undergone full severity assessment. No known exploits in the wild have been reported so far. The vulnerability requires authentication, meaning an attacker must have valid user credentials to exploit it. However, once exploited, it can lead to session hijacking, credential theft, unauthorized actions on behalf of users, or distribution of malware, depending on the payload delivered by the attacker. The vulnerability affects a specific version (4.32) of Partner Web, which is used in job management contexts, suggesting its deployment in business environments. The absence of patch links indicates that a fix may not yet be publicly available or is pending release.

For European organizations using Partner Software's Partner Web application version 4.32, this vulnerability poses a significant risk to confidentiality, integrity, and availability of user sessions and data. Stored XSS can allow attackers to hijack user sessions, steal sensitive information such as credentials or personal data, and perform unauthorized actions within the application. This can lead to data breaches, loss of trust, and potential regulatory non-compliance under GDPR if personal data is compromised. The impact is amplified in environments where Partner Web is integrated with other internal systems or contains sensitive job-related information. Since exploitation requires authentication, insider threats or compromised user accounts are the most likely attack vectors. The persistent nature of stored XSS means multiple users can be affected once malicious notes are added. Additionally, attackers could use the vulnerability to pivot to other systems or escalate privileges if the application has elevated access. The lack of known exploits in the wild suggests the threat is currently theoretical but should be treated proactively to prevent future attacks.

1. Immediate mitigation should focus on restricting note input to disallow HTML and JavaScript content. Implement strict input validation and output encoding on the 'Notes' page to neutralize any potentially malicious code. 2. Employ Content Security Policy (CSP) headers to reduce the risk of script execution from untrusted sources. 3. Enforce least privilege principles for user accounts to limit the impact of compromised credentials. 4. Monitor logs for unusual note creation or modification activities that could indicate exploitation attempts. 5. If possible, disable the note-adding feature temporarily until a patch is available. 6. Engage with Partner Software to obtain or request a security patch addressing this vulnerability. 7. Educate users about phishing and credential security to reduce the risk of account compromise. 8. Conduct regular security assessments and penetration testing focusing on input validation and stored XSS vectors within the application. 9. Implement multi-factor authentication (MFA) to reduce the likelihood of unauthorized access by attackers.