Description
docuFORM Managed Print Service Client 11.11c is vulnerable to a reflected cross site scripting attack via the login page of the application.
Published: 2026-05-11
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw located in the login page of docuFORM Managed Print Service Client 11.11c. An attacker can inject malicious JavaScript that is reflected back into the page when a crafted URL is visited. Without additional defenses, the injected script can run in the context of the user’s browser, potentially allowing an attacker to steal session cookies, deface the interface, or execute further client‑side attacks.

Affected Systems

This issue affects instances of the docuFORM Managed Print Service Client with version 11.11c. The product is distributed by docuFORM GmbH and is used in offices and institutions for managing printing tasks.

Risk and Exploitability

The flaw requires an attacker to deliver a specially crafted URL to a user who visits the login page, implying that user interaction is a prerequisite. Because the vulnerability is client‑side, it does not directly compromise the server, but the potential impact on confidentiality and integrity can be significant if an attacker gains access to privileged user accounts. The EPSS score is unavailable, and the vulnerability is not listed in CISA's KEV catalog, indicating limited publicly available exploitation data. The CVSS score is 6.1, indicating a medium severity risk. Until a vendor patch is released, the best mitigation is to ensure strict content security policies and input sanitization.

Generated by OpenCVE AI on May 11, 2026 at 21:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Sanitize all user‑supplied input on the login form to remove or encode script‑related characters.
  • Deploy a Content Security Policy that disallows inline scripting and restricts script sources to trusted origins.
  • Remove or encode any URL parameters that are echoed back on the login page.
  • Upgrade to a patched version of docuFORM Managed Print Service Client once it becomes available.

Generated by OpenCVE AI on May 11, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Docuform
Docuform docuform
Vendors & Products Docuform
Docuform docuform

Mon, 11 May 2026 21:30:00 +0000

Type Values Removed Values Added
Title Reflected Cross‑Site Scripting in docuFORM Managed Print Service Client 11.11c Login Page

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 17:00:00 +0000

Type Values Removed Values Added
Title Reflected Cross‑Site Scripting in docuFORM Managed Print Service Client 11.11c Login Page
Weaknesses CWE-79

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description docuFORM Managed Print Service Client 11.11c is vulnerable to a reflected cross site scripting attack via the login page of the application.
References

Subscriptions

Docuform Docuform
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-11T18:50:33.288Z

Reserved: 2025-11-18T00:00:00.000Z

Link: CVE-2025-65417

cve-icon Vulnrichment

Updated: 2026-05-11T18:50:29.634Z

cve-icon NVD

Status : Deferred

Published: 2026-05-11T16:17:29.160

Modified: 2026-05-12T15:05:31.120

Link: CVE-2025-65417

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:23:46Z

Weaknesses