A reflected cross‑site scripting (XSS) vulnerability exists in the dfm‑menu_coveragealerts.php component of the docuForm Managed Print Services platform. An attacker can inject arbitrary JavaScript by supplying a crafted payload in an unfiltered variable. The injected script would execute in the victim’s browser context. The primary consequence is that a malicious script runs with the privileges of the user who views the page; the specific outcomes (such as session hijacking or credential theft) depend on the attacker’s intent and are not detailed in the CVE description. Based on the description, it is inferred that the attacker would need to entice a user to visit a crafted URL that includes the malicious payload.

The flaw is present in docuForm version 11.11c and is not known to affect other releases or vendor products, so the impact is confined to installations running that specific version of the application.

The vulnerability is a reflected XSS that can be triggered when a user follows a link or submits a form containing malicious data. Since the payload is delivered client‑side, the main risk is to the end user. No known exploits or infected campaigns are reported; the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires user interaction with crafted content; this is inferred from the definition of reflected XSS.