CVE-2025-61306

Vulnerability

Overview

A reflected cross-site scripting (XSS) vulnerability exists in the dfm-menu_coveragealerts.php component of GmbH Mercury Managed Print Services (docuForm) v11.11c. The application fails to properly neutralize user-controllable input before embedding it into dynamically generated web pages, allowing an attacker to inject arbitrary JavaScript code [2]. This is classified as CWE-79: Improper Neutralization of Input During Web Page Generation [2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing a payload in an unfiltered variable value. When a victim user clicks on the crafted link, the payload is reflected back and executed in the context of their browser session [1]. No authentication is required for the reflected variant, though the stored variant described in the reference requires an authenticated attacker [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to theft of session identifiers, personal information, or performing actions on behalf of the victim [2]. The CVSS v3.1 score for the stored variant is 7.3 (High), with network attack vector, low complexity, and high impact on confidentiality and integrity [2].（but no impact on availability）[2].

Mitigation

The vendor published a fix for this issue in November 2025 [2]. Users are advised to update to the latest version of docuForm FSM Server. The vulnerability was reported by Bastian Recktenwald of ZeroBreach GmbH [2].