CVE-2025-61310

Vulnerability

Overview

CVE-2025-61310 is a reflected cross-site scripting (XSS) vulnerability found in the acc-menu_billings.php component of GmbH Mecury Managed Print Services (docuForm) version 11.11c. The root cause is improper neutralization of user-controllable input before it is embedded into dynamically generated web pages, specifically an unfiltered variable value that can be manipulated by an attacker [1][2].

Exploitation

An attacker can exploit this vulnerability by injecting a crafted payload into the unfiltered variable, which is then reflected back to the user's browser without proper sanitization. The attack requires user interaction, such as clicking a malicious link, but does not require authentication, making it accessible to unauthenticated remote attackers [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to theft of session identifiers, personal information, or other sensitive data, potentially enabling account takeover or unauthorized actions on behalf of the victim [2].

Mitigation

The vendor, docuFORM, acknowledged the vulnerability and published a fix in November 2025 [2]. Users are advised to update to the latest patched version of docuForm to mitigate the risk.