Qualitor
CVE-2025-14580
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security vulnerability has been detected in Qualitor up to 8.24.73. The impacted element is an unknown function of the file /Qualitor/html/bc/bcdocumento9/biblioteca/request/viewDocumento.php. Such manipulation of the argument cdscript leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. It is suggested to upgrade the affected component. The vendor confirms the existence of the issue: "We became aware of the issue through an earlier direct notification from the original reporter, and our engineering team promptly investigated and implemented the necessary corrective measures. (...) Updated versions containing the fix have already been provided to our customer base".
AnalysisAI
Reflected cross-site scripting (XSS) in Qualitor up to version 8.24.73 allows authenticated remote attackers to inject malicious scripts via the cdscript parameter in /Qualitor/html/bc/bcdocumento9/biblioteca/request/viewDocumento.php, exploitable only with user interaction (e.g., clicking a malicious link). While publicly available exploit code exists and the vendor has confirmed and patched the issue, the low CVSS score (2.0) and requirement for both authentication and user interaction significantly limit real-world risk.
Technical ContextAI
The vulnerability is a reflected cross-site scripting (XSS) flaw classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). It resides in a PHP file within Qualitor's document biblioteca (library) request handler. The cdscript parameter is passed to viewDocumento.php without proper input sanitization or output encoding, allowing an attacker to inject arbitrary HTML and JavaScript that executes in the victim's browser session. The affected product is Qualitor, a document management or business collaboration platform (based on the path structure /bcdocumento9/ suggesting document handling functionality).
RemediationAI
Upgrade to the patched version distributed by Qualitor after the vendor's corrective measures implementation. The vendor states 'updated versions containing the fix have already been provided to our customer base,' but specific version numbers are not disclosed in available references. Contact Qualitor support or check the vendor advisory on vuldb.com for exact patched version identification. As an interim compensating control, restrict access to /Qualitor/html/bc/bcdocumento9/biblioteca/request/viewDocumento.php to trusted internal networks only via web server ACLs, which will prevent external exploitation but does not address internal threats. Additionally, implement a Web Application Firewall (WAF) rule to block requests containing script-like payloads in the cdscript parameter (e.g., patterns matching <script, javascript:, onerror=), recognizing that WAF evasion is possible and this is not a substitute for patching.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today