CVE-2025-61310: Mercury Managed Print Services XSS Flaw

CVE-2025-61310 Overview

CVE-2025-61310 is a reflected cross-site scripting (XSS) vulnerability in the acc-menu_billings.php component of GmbH Mercury Managed Print Services (docuForm) version 11.11c. The flaw allows attackers to execute arbitrary JavaScript in the context of a victim's browser by injecting a crafted payload into an unfiltered variable value. Exploitation requires user interaction, typically through a malicious link. The vulnerability is categorized under [CWE-79], improper neutralization of input during web page generation.

Critical Impact

Successful exploitation enables session hijacking, credential theft, and unauthorized actions performed in the victim's authenticated context within the docuForm Mercury web interface.

Affected Products

• GmbH Mercury Managed Print Services (docuForm) v11.11c
• acc-menu_billings.php component
• Web management interface of docuForm Mercury

Discovery Timeline

• 2026-05-11 - CVE-2025-61310 published to NVD
• 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2025-61310

Vulnerability Analysis

The vulnerability resides in the acc-menu_billings.php component of docuForm Mercury Managed Print Services v11.11c. The component reflects user-supplied input back into the rendered HTML response without proper output encoding or input sanitization. An attacker can craft a URL containing JavaScript payloads in a vulnerable parameter and deliver it to an authenticated user. When the victim clicks the link, the server reflects the payload into the response, and the browser executes it within the application's origin.

The reflected XSS scope changes after exploitation, indicating the injected script can affect resources beyond the vulnerable component's security boundary. Confidentiality and integrity impacts are limited but allow theft of session tokens, manipulation of displayed content, and execution of unauthorized actions on behalf of the victim. The EPSS probability is 0.031%, reflecting low observed exploitation activity at this time.

Root Cause

The root cause is missing input validation and output encoding on a variable processed by acc-menu_billings.php. The component embeds attacker-controlled data directly into the HTML response stream, violating standard web output encoding practices defined under [CWE-79].

Attack Vector

The attack is network-based and requires user interaction. An attacker crafts a URL pointing to the vulnerable acc-menu_billings.php endpoint with an embedded JavaScript payload. The attacker delivers the link via phishing, chat, or any channel that induces a logged-in user to click. Upon execution, the script runs with the privileges of the victim's session and can read cookies, manipulate the DOM, or issue authenticated requests.

No verified exploitation code is published. Technical details are referenced in the GitHub Gist Analysis and the ZeroBreach Overview.

Detection Methods for CVE-2025-61310

Indicators of Compromise

• HTTP requests to acc-menu_billings.php containing URL-encoded <script>, onerror=, onload=, or javascript: tokens in query parameters.
• Web server access logs showing unusually long query strings or encoded payloads referencing the billings endpoint.
• Outbound browser requests to attacker-controlled domains immediately following user navigation to docuForm Mercury URLs.

Detection Strategies

• Deploy web application firewall (WAF) rules to flag reflected XSS patterns targeting acc-menu_billings.php request parameters.
• Inspect HTTP response bodies for echoed user input that includes unencoded HTML or JavaScript characters.
• Correlate user click events on external links with subsequent authenticated requests to the docuForm Mercury application.

Monitoring Recommendations

• Enable verbose logging on the docuForm Mercury web server and forward logs to a centralized SIEM for analysis.
• Monitor for anomalous session activity such as token reuse from new IP addresses after a user clicked an external link.
• Track repeated 200-OK responses to the billings endpoint with parameter values containing HTML control characters.

How to Mitigate CVE-2025-61310

Immediate Actions Required

• Restrict access to the docuForm Mercury management interface to trusted internal networks or VPN segments.
• Advise administrators and billing users to avoid clicking unsolicited links referencing the Mercury application.
• Contact docuForm via the Docuform Security Resource to confirm the availability of a fixed release.

Patch Information

No vendor patch reference is included in the current NVD record. Customers running docuForm Mercury Managed Print Services v11.11c should request remediation guidance directly from the vendor and review the GitHub Gist Analysis for technical context.

Workarounds

• Place the application behind a WAF configured to block reflected XSS payloads in query strings and form fields.
• Enforce a strict Content Security Policy (CSP) that disallows inline script execution on the Mercury web interface.
• Set the HttpOnly and Secure flags on session cookies to reduce the impact of script-based session theft.
• Implement browser-side input validation and disable URL preview rendering in clients used by privileged users.

# Example nginx configuration to add Content-Security-Policy and cookie hardening
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
proxy_cookie_path / "/; HttpOnly; Secure; SameSite=Strict";