CVE-2025-61313

Docuform · dfm-menu_markeralerts

A reflected cross-site scripting (XSS) vulnerability exists in the Docuform dfm-menu_markeralerts component.

Executive summary

A reflected cross-site scripting (XSS) vulnerability in Docuform's dfm-menu_markeralerts component may allow attackers to execute malicious scripts in a user's browser.

Vulnerability

This is a reflected XSS vulnerability requiring authenticated, low-privilege access and user interaction. The CVSS vector (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N) highlights a high potential for confidentiality and integrity compromise.

Business impact

Exploitation of this vulnerability could lead to the compromise of authenticated user sessions. This could result in unauthorized data access or malicious modifications within the affected application, posing a substantial risk to organizational security and user trust.

Remediation

Immediate Action: Consult Docuform support or documentation to determine if a security patch is available for the dfm-menu_markeralerts component.

Proactive Monitoring: Inspect web application traffic for input vectors that may carry reflected scripts, particularly those involving the markeralerts functionality.

Compensating Controls: Utilize a WAF to enforce strict input sanitization and output encoding policies that block reflected XSS attempts.

Exploitation status

Public Exploit Available: No confirmed public exploit.

Analyst recommendation

Administrators should treat this as a high-priority item by identifying if their environment utilizes the affected Docuform component. Once identified, apply all vendor-recommended security updates to eliminate the reflected XSS vector.