CVE-2025-9158 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 that affects the Request Tracker (RT) software developed by Best Practical. The vulnerability arises from improper neutralization of input during web page generation, specifically within the calendar invitation parsing feature. When RT processes calendar invitations embedded in emails, it fails to sanitize HTML content, allowing malicious JavaScript code to be stored and later executed in the context of the logged-in user's browser when viewing the ticket. This flaw affects RT versions from 5.0.4 through 5.0.8 and 6.0.0 through 6.0.1. The attack vector is remote and does not require authentication, as an attacker can send a specially crafted email to a user whose RT instance processes the invitation data. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:P), and low impact on confidentiality and integrity, with no impact on availability. The vulnerability could allow attackers to execute arbitrary JavaScript, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions within RT. No patches or exploits are currently documented, but the presence of this vulnerability in widely used versions of RT necessitates prompt attention.

For European organizations, the impact of CVE-2025-9158 can be significant, especially for those relying on Request Tracker for IT service management, helpdesk operations, or internal ticketing. Exploitation could lead to unauthorized access to sensitive ticket data, session hijacking of privileged users, and potential lateral movement within the network. Since the vulnerability requires only user interaction (viewing a ticket with a malicious calendar invitation), social engineering or phishing campaigns could be leveraged to trigger the exploit. Confidentiality and integrity of ticket data could be compromised, undermining trust in incident response and support workflows. Additionally, exploitation could facilitate further attacks such as privilege escalation or data exfiltration. The medium CVSS score reflects moderate risk, but the ease of remote exploitation without authentication increases the threat level. Organizations handling sensitive or regulated data (e.g., GDPR-protected personal data) may face compliance and reputational risks if exploited.

1. Upgrade Request Tracker to a version beyond 6.0.1 where this vulnerability is fixed, once patches are released by Best Practical. 2. Until patches are available, implement strict email filtering to block or quarantine suspicious calendar invitations and emails containing potentially malicious HTML or scripts. 3. Configure web application firewalls (WAFs) to detect and block XSS payloads targeting the RT interface, focusing on calendar invitation parsing endpoints. 4. Educate users to be cautious with unexpected calendar invitations and emails, especially those triggering ticket updates. 5. Employ Content Security Policy (CSP) headers on the RT web interface to restrict execution of inline scripts and reduce XSS impact. 6. Regularly audit and monitor RT logs for unusual activity or signs of exploitation attempts. 7. Limit RT user privileges to the minimum necessary to reduce the impact of compromised sessions. 8. Consider isolating RT instances or restricting access to trusted networks to reduce exposure. These measures combined will help mitigate the risk until official patches are applied.