CVE-2025-14691
Cross-Site Scripting in Mayan EDMS Authentication Module
Publication date: 2025-12-14
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mayan-edms | mayan_edms | to 4.10.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a cross-site scripting (XSS) issue in Mayan EDMS versions up to 4.10.1. It occurs in an unknown function within the /authentication/ file. An attacker can exploit this vulnerability remotely by manipulating input to execute malicious scripts in the context of a user's browser. The vulnerability has been fixed in version 4.10.2.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to perform cross-site scripting attacks, which may lead to the execution of malicious scripts in users' browsers. This can result in the attacker hijacking user sessions, defacing web content, or redirecting users to malicious sites. The impact is limited to integrity as per the CVSS score, with no direct impact on confidentiality or availability.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Mayan EDMS to version 4.10.2 or later, as this version contains the fix for the vulnerability. Additionally, monitor for any backports released for older versions and apply them once available.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing for DOM-based Cross-Site Scripting (XSS) in the /authentication/ path of Mayan EDMS versions up to 4.10.1. You can attempt to access URLs with malicious JavaScript payloads appended as hash fragments to see if the script executes, for example: - /authentication/login/#javascript:alert("XSS") - /authentication/password/reset/#javascript:alert("XSS") - /authentication/login/?next=/search/advanced/#javascript:alert("XSS") Using a web browser or tools like curl or wget will not directly execute JavaScript, so manual testing or automated browser-based testing tools (e.g., Burp Suite, OWASP ZAP) are recommended. For example, you can use curl to fetch the page and inspect if the vulnerable JavaScript code is present: curl -i https://your-mayan-edms-instance/authentication/login/ However, since this is a DOM-based XSS, detection requires observing script execution in a browser context. Automated scanners that support DOM XSS detection or manual testing by injecting payloads in the URL hash fragment are effective approaches. Upgrading to version 4.10.2 is the recommended mitigation. No specific command-line commands can reliably detect this vulnerability without browser interaction. [2, 3]