CVE-2025-61312 Overview
CVE-2025-61312 is a reflected cross-site scripting (XSS) vulnerability in the acc-menu_pricess.php component of GmbH Mercury Managed Print Services (docuForm) version 11.11c. The flaw stems from an unfiltered variable value that reflects attacker-controlled input back into the response. Authenticated attackers can inject crafted JavaScript payloads that execute in the victim's browser session. The vulnerability is classified under [CWE-79] (Improper Neutralization of Input During Web Page Generation).
Critical Impact
Attackers can execute arbitrary JavaScript in a user's browser context, enabling session hijacking, credential theft, and unauthorized actions within the docuForm Mercury print management interface.
Affected Products
- GmbH Mercury Managed Print Services (docuForm) v11.11c
- acc-menu_pricess.php component
- Deployments exposing the Mercury web interface to user-controlled input
Discovery Timeline
- 2026-05-11 - CVE-2025-61312 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2025-61312
Vulnerability Analysis
The vulnerability resides in the acc-menu_pricess.php component of docuForm Mercury Managed Print Services v11.11c. The script accepts user-supplied input through a request variable and reflects it into the HTTP response without applying output encoding or input sanitization. When a victim visits a crafted URL or submits a manipulated request, the injected JavaScript executes within the user's authenticated session context.
Reflected XSS attacks against print management platforms can expose administrative credentials, alter print job routing, and pivot into adjacent enterprise systems. Because docuForm Mercury is typically deployed in document-heavy environments, compromised sessions can disclose sensitive business records.
Root Cause
The root cause is the absence of output encoding when rendering attacker-controlled input back into the HTML response. The acc-menu_pricess.php script trusts request parameters and embeds them directly into the page. No contextual escaping is applied to HTML, attribute, or JavaScript output contexts, allowing arbitrary script tags or event handlers to break out of the intended data context.
Attack Vector
The attack requires network access to the Mercury web interface, low privileges, and user interaction. An attacker crafts a malicious URL containing a JavaScript payload in the vulnerable parameter, then delivers it via phishing or a malicious referral. When an authenticated user opens the link, the payload executes with the user's privileges. See the GitHub Gist by ZeroBreach for proof-of-concept details.
// No verified exploit code published. See referenced advisory for payload structure.
Detection Methods for CVE-2025-61312
Indicators of Compromise
- HTTP requests to acc-menu_pricess.php containing <script>, onerror=, onload=, or URL-encoded equivalents in query parameters
- Unexpected outbound connections from user browsers following access to Mercury URLs
- Anomalous session activity on docuForm Mercury accounts shortly after users open external links
Detection Strategies
- Inspect web server and reverse proxy logs for requests to acc-menu_pricess.php with reflective payload patterns such as javascript:, <img src=x>, or HTML entity-encoded scripts
- Deploy web application firewall (WAF) rules that flag XSS signatures targeting docuForm endpoints
- Correlate browser process telemetry with suspicious script execution originating from internal print management URLs
Monitoring Recommendations
- Enable verbose access logging on the Mercury web server and forward logs to a centralized SIEM for query and retention
- Alert on repeated 200-response requests to acc-menu_pricess.php from a single source containing reserved HTML characters
- Monitor authentication events for Mercury accounts to identify session reuse from unexpected IP addresses
How to Mitigate CVE-2025-61312
Immediate Actions Required
- Restrict access to the Mercury web interface to trusted internal networks or VPN-only access
- Notify users of phishing risk and instruct them not to click unsolicited links referencing the print management portal
- Audit recent access logs for the acc-menu_pricess.php endpoint to identify probing activity
Patch Information
No vendor patch is referenced in the NVD entry at publication. Contact docuForm through the Docuform Security Resource for an updated build of Mercury Managed Print Services beyond v11.11c. Review the ZeroBreach Security Overview for advisory updates.
Workarounds
- Deploy a WAF rule blocking requests to acc-menu_pricess.php that contain HTML special characters such as <, >, ", and ' in parameter values
- Apply a strict Content-Security-Policy (CSP) header on the Mercury application to limit inline script execution
- Set the HttpOnly and Secure flags on session cookies to reduce the impact of successful script execution
# Example NGINX rule to block suspicious payloads against the vulnerable endpoint
location ~* /acc-menu_pricess\.php {
if ($args ~* "(<|%3C)\s*script|onerror=|onload=|javascript:") {
return 403;
}
add_header Content-Security-Policy "default-src 'self'; script-src 'self'";
add_header X-XSS-Protection "1; mode=block";
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
