CVE-2025-14691
Unknown Unknown - Not Provided
Cross-Site Scripting in Mayan EDMS Authentication Module

Publication date: 2025-12-14

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in Mayan EDMS up to 4.10.1. The affected element is an unknown function of the file /authentication/. The manipulation results in cross site scripting. The attack may be performed from remote. The exploit is now public and may be used. Upgrading to version 4.10.2 is sufficient to fix this issue. You should upgrade the affected component. The vendor confirms that this is "[f]ixed in version 4.10.2". Furthermore, that "[b]ackports for older versions in process and will be out as soon as their respective CI pipelines complete."
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-14
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-15
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14691
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mayan-edms mayan_edms to 4.10.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a cross-site scripting (XSS) issue in Mayan EDMS versions up to 4.10.1. It occurs in an unknown function within the /authentication/ file. An attacker can exploit this vulnerability remotely by manipulating input to execute malicious scripts in the context of a user's browser. The vulnerability has been fixed in version 4.10.2.

Impact Analysis

The vulnerability can allow an attacker to perform cross-site scripting attacks, which may lead to the execution of malicious scripts in users' browsers. This can result in the attacker hijacking user sessions, defacing web content, or redirecting users to malicious sites. The impact is limited to integrity as per the CVSS score, with no direct impact on confidentiality or availability.

Mitigation Strategies

Upgrade Mayan EDMS to version 4.10.2 or later, as this version contains the fix for the vulnerability. Additionally, monitor for any backports released for older versions and apply them once available.

Detection Guidance

This vulnerability can be detected by testing for DOM-based Cross-Site Scripting (XSS) in the /authentication/ path of Mayan EDMS versions up to 4.10.1. You can attempt to access URLs with malicious JavaScript payloads appended as hash fragments to see if the script executes, for example: - /authentication/login/#javascript:alert("XSS") - /authentication/password/reset/#javascript:alert("XSS") - /authentication/login/?next=/search/advanced/#javascript:alert("XSS") Using a web browser or tools like curl or wget will not directly execute JavaScript, so manual testing or automated browser-based testing tools (e.g., Burp Suite, OWASP ZAP) are recommended. For example, you can use curl to fetch the page and inspect if the vulnerable JavaScript code is present: curl -i https://your-mayan-edms-instance/authentication/login/ However, since this is a DOM-based XSS, detection requires observing script execution in a browser context. Automated scanners that support DOM XSS detection or manual testing by injecting payloads in the URL hash fragment are effective approaches. Upgrading to version 4.10.2 is the recommended mitigation. No specific command-line commands can reliably detect this vulnerability without browser interaction. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14691. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart