CVE-2025-61308

Vulnerability

Description

CVE-2025-61308 is a reflected cross-site scripting (XSS) vulnerability found in the dfm-menu_maintenance.php component of GmbH Mecury Managed Print Services (docuForm) version 11.11c. The root cause improper neutralization of user-controllabled input before it is embedded into the generated web page [2]. The description indicates a attack can inject a crafted payload into an unfiltered variable.

Exploitation

An attacker can exploit this by crafting a malicious URL containing the payload and sending it to a victim. The victim must e.g., the administrator or another user who has session in the application and interacts with the crafted link [1]. No authentication from the attacker is needed for the reflected XSS execution, but the attacker must trick a user to open the link.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the user's browser. This can lead to theft of session cookies, sensitive information, or actions performed on behalf of the victim [2]. The CVSS vector (6.1 Medium) indicates a low impact on confidentiality and integrity with integrity impact, typical for XSS but with no direct impact on availability.

Mitigation

The vendor acknowledged the vulnerability and published a fix in November 2025 [2]. Users are recommended to update to the patched version. No workarounds are mentioned in the references.