CVE-2025-14580 – This is a cross-site scripting (XSS) vulnerabil... (How to Fix)

Q: What is the severity of CVE-2025-14580?

CVE-2025-14580 has a CVSS score of 3.5 (LOW). This is a cross-site scripting (XSS) vulnerability in Qualitor's document viewing component that allows attackers to inject malicious scripts via the cdscript parameter. The vulnerability affects Qualitor installations up to version 8.24.73 and can be exploited remotely without authentication. Organizations using vulnerable versions of Qualitor are at risk of client-side attacks against their users.

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in Qualitor's document viewing component that allows attackers to inject malicious scripts via the cdscript parameter. The vulnerability affects Qualitor installations up to version 8.24.73 and can be exploited remotely without authentication. Organizations using vulnerable versions of Qualitor are at risk of client-side attacks against their users.

💻 Affected Systems

Products:

Qualitor

Versions: up to 8.24.73

Operating Systems: All platforms running Qualitor

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the document viewing component at /Qualitor/html/bc/bcdocumento9/biblioteca/request/viewDocumento.php

📦 What is this software?

Qualitor by Qualitor

View all CVEs affecting Qualitor →

Qualitor by Qualitor

View all CVEs affecting Qualitor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or deliver malware to end users.

🟠

Likely Case

Attackers inject malicious JavaScript to steal session tokens or credentials from authenticated users, potentially leading to account compromise.

🟢

If Mitigated

With proper input validation and output encoding, the attack would fail to execute malicious scripts, limiting impact to benign parameter manipulation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details have been publicly disclosed and the vulnerability requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 8.24.73

Vendor Advisory: Not provided in CVE details

Restart Required: No

Instructions:

1. Contact Qualitor vendor for updated versions containing the fix. 2. Upgrade to version after 8.24.73. 3. Verify the fix by testing the vulnerable endpoint.

🔧 Temporary Workarounds

Web Application Firewall (WAF) Rules

all

Implement WAF rules to block malicious script injection in the cdscript parameter

Input Validation Filter

all

Add server-side validation to sanitize the cdscript parameter before processing

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to prevent script execution
Restrict access to the vulnerable endpoint using network segmentation or authentication requirements

🔍 How to Verify

Check if Vulnerable:

Test the /Qualitor/html/bc/bcdocumento9/biblioteca/request/viewDocumento.php endpoint with XSS payloads in the cdscript parameter

Check Version:

Check Qualitor version in administration panel or configuration files

Verify Fix Applied:

After patching, test the same endpoint with XSS payloads to confirm they are properly sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual parameter values in cdscript parameter containing script tags or JavaScript code
Multiple failed XSS attempts

Network Indicators:

HTTP requests to viewDocumento.php with suspicious cdscript parameter values

SIEM Query:

source="web_server" AND uri="*viewDocumento.php*" AND (param="*<script>*" OR param="*javascript:*" OR param="*onload=*" OR param="*onerror=*")

📊 Metadata

CVE ID: CVE-2025-14580

CVSS v3 Score: 3.5 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (7.6th percentile)

Published: December 12, 2025

Last Updated: December 19, 2025

🔗 References

https://vuldb.com/?ctiid.336201 Permissions Required,VDB Entry
https://vuldb.com/?id.336201 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.705193 Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14580, you might also want to check these: