VU#317469: Partner Software/Pa... Note

VU#317469: Partner Software/Partner Web uses does not sanitize Report files and Note content, allowing for XSS and RCE

Partner Software and Partner Web are susceptible to cross-site scripting (XSS) attacks due to improper sanitization of report and note files. These applications, used by industry, municipalities, state government, and private contractors, allow authorized users to upload files. The file upload feature does not restrict file types, enabling attackers to execute malicious code on a victim's device. Additionally, Partner Web ships with default administrator credentials, creating a significant security risk. These vulnerabilities, identified as CVE-2025-6076, CVE-2025-6077, and CVE-2025-6078, can lead to arbitrary code execution and device compromise. The impact of these vulnerabilities allows attackers to gain administrator access or perform XSS attacks. Partner Software has released a patch in version 4.32.2 to address these security flaws. The patch removes Admin and Edit user roles, sanitizes input in the Notes section, and restricts file attachments to specific formats. The affected versions of Partner Web are 4.32 and earlier. Patch information can be found on the Partner Software website.