CVE-2025-61307

Vulnerability

Overview CVE-2025-61307 is a reflected cross-site scripting (XSS) vulnerability found in the acc-menu_papers.php component of GmbH Mecury Managed Print Services (docuForm) version 11.11c. The vulnerability arises because user-supplied input is not properly sanitized before being embedded into the dynamically generated web page, allowing an attacker to inject a crafted payload into an unfiltered variable. This issue is classified under CWE-79: Improper Neutralization of Input During Web Page Generation [2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing a JavaScript payload in the vulnerable parameter. When a user visits this URL, the malicious script is executed in the context of the victim's browser session. No authentication is required to trigger the reflected XSS, as the attack is delivered via a link that the victim must click. The attack vector is network-based, with low complexity, and requires user interaction [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to theft of session identifiers, disclosure of sensitive information, and unauthorized actions performed on behalf of the victim. Although the CVSS score for the reflected variant is 6.1 (Medium), similar stored XSS issues have been rated higher (7.3, High) due to increased persistence and impact [2].

Mitigation

The vendor acknowledged the vulnerability and released a fix in November 2025. Users are strongly advised to update to the latest version of docuForm FSM Server to remediate this issue. According to the disclosure timeline, details were published in April 2026 [2].