{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/317469#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\n\r\nPartner Software and Partner Web, both products of their namesake company, Partner Software, fail to sanitize report or note files, allowing for XSS attacks. Partner Software is subdivision of N. Harris Computer Corporation and is a field application development company, with [products intended for use by industry, municipalities, state government, and private contractors](https://partnersoftware.com/about/partner-software-origins/). An authorized user of Partner Software or Partner Web application can upload \"Reports\" when viewing a job. The file upload feature does not limit files that can be uploaded or their extensions, allowing an attacker with valid credentials to perform XSS attacks and execute malicious code on the device. The Partner Web product also ships with the same default administrator username and password across versions. An attacker with access to the Partner Web application could abuse these vulnerabilities to perform arbitrary code execution on the hosting device. \r\n\r\n### Description\r\n\r\nPartner Software's products Partner Software and Partner Web are used by various municipalities, state government, and private contractors for field application work. These products include support for various GIS-related uses, map viewers, and other support tools. The Partner Software and Partner Web products contain various fields for uploading content for analysis by field workers. An authenticated user with access to the Partner Web application could perform RCE through usage of the vulnerabilities. \r\n\r\n**CVE-2025-6076**\r\nPartner Software's corresponding Partner Web application does not sanitize files uploaded on the Reports tab, allowing an authenticated attacker to upload a malicious file that will be stored on the victim server.\r\n\r\n**CVE-2025-6077**\r\nPartner Software's corresponding Partner Web application all use the same default username and password for the administrator account.\r\n\r\n**CVE-2025-6078**\r\nPartner Software/Partner Web allows an authenticated user to add text on the Notes page within the Job view, but does not completely sanitize input, making it possible to add notes with HTML tags and JavaScript and enabling an attacker to add a note containing malicious JavaScript, leading to stored XSS (cross-site scripting).\r\n\r\n### Impact\r\nAn attacker using these vulnerabilities can either gain administrator access to the device or perform XSS, compromising the device. \r\n\r\n### Solution\r\nPartner Software has provided a patch for the affected product in version 4.32.2. The Admin and Edit users are now removed in the 4.32.2 patch, and the Notes section now restricts and sanitizes input to only including simple text. Additionally, file attachments allowed include only .csv, .jpg, .png, .txt, .doc, and .pdf files, and will not longer read then files, only display them. The affected versions of Partner Web are 4.32 and previous. Patch information is available here: https://partnersoftware.com/resources/software-release-info-4-32/\r\n\r\n### Acknowledgements\r\nThanks to the reporter, Ryan Pohlner (Cybersecurity and Infrastructure Security Agency). for the report and to Partner Software for coordination efforts. This document was written by Christopher Cullen.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/317469"},{"url":"https://partnersoftware.com/partner-services/","summary":"https://partnersoftware.com/partner-services/"},{"url":"https://partnersoftware.com/resources/software-release-info-4-32/","summary":"https://partnersoftware.com/resources/software-release-info-4-32/"}],"title":"Partner Software/Partner Web does not sanitize Report files and Note content, allowing for XSS and RCE","tracking":{"current_release_date":"2025-08-04T15:38:19+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#317469","initial_release_date":"2025-08-02 02:16:05.638577+00:00","revision_history":[{"date":"2025-08-04T15:38:19+00:00","number":"1.20250804153819.2","summary":"Released on 2025-08-04T15:38:19+00:00"}],"status":"final","version":"1.20250804153819.2"}},"vulnerabilities":[{"title":"Partner Software's Partner Software application and Partner Web application allows an authenticated user to add notes on the 'Notes' page when viewing a job but does not completely sanitize input, making it possible to add notes with HTML tags and JavaScript, enabling an attacker to add a note containing malicious JavaScript, leading to stored XSS (cross-site scripting).","notes":[{"category":"summary","text":"Partner Software's Partner Software application and Partner Web application allows an authenticated user to add notes on the 'Notes' page when viewing a job but does not completely sanitize input, making it possible to add notes with HTML tags and JavaScript, enabling an attacker to add a note containing malicious JavaScript, leading to stored XSS (cross-site scripting)."}],"cve":"CVE-2025-6078","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#317469"}]},{"title":"Partner Software's Partner Software application and Partner Web application do not sanitize files uploaded on the \"reports\" tab, allowing an authenticated attacker to upload a malicious file and compromise the device.","notes":[{"category":"summary","text":"Partner Software's Partner Software application and Partner Web application do not sanitize files uploaded on the \"reports\" tab, allowing an authenticated attacker to upload a malicious file and compromise the device. By default, the software runs as SYSTEM, heightening the severity of the vulnerability."}],"cve":"CVE-2025-6076","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#317469"}]},{"title":"Partner Software's Partner Software Product and corresponding Partner Web application use the same default username and password for the administrator account across all versions.","notes":[{"category":"summary","text":"Partner Software's Partner Software Product and corresponding Partner Web application use the same default username and password for the administrator account across all versions."}],"cve":"CVE-2025-6077","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#317469"}]}],"product_tree":{"branches":[]}}