CVE-2025-61309

What the vulnerability is

A reflected cross-site scripting (XSS) vulnerability has been discovered in the dfm-menu_departments.php component of Mercury Managed Print Services (docuForm) v11.11c by GmbH Mercury [2]. The root cause is improper neutralization of user-controllable input before it is embedded into dynamically generated web pages, corresponding to CWE-79 [2]. Specifically, an unfiltered variable value allows injection of arbitrary script payloads.

How it's exploited

The vulnerability is exploitable remotely without authentication [2]. An attacker crafts a malicious URL containing a JavaScript payload in the vulnerable parameter [2]. When a victim clicks the link, the payload is reflected back in the page response and executed in the context of their browser session [1][2]. No special network position is required beyond the attacker being able to deliver the crafted link (e.g., via phishing or embedding in a web page).

Impact

Successful exploitation enables arbitrary JavaScript execution in the victim's browser. This can lead to theft of sensitive session identifiers, personal user information, or account takeover [2]. The attacker could perform unintended actions on behalf of the victim or modify application content [2].

Mitigation

The vendor has acknowledged the vulnerability and published a fix in November 2025 [2]. Users are strongly advised to upgrade to the patched version as soon as possible. No workarounds are documented in the available references.