CVE-2025-14692
Unknown Unknown - Not Provided
Open Redirect Vulnerability in Mayan EDMS Authentication Module

Publication date: 2025-12-15

Last updated on: 2026-04-29

Assigner: VulDB

Description
A flaw has been found in Mayan EDMS up to 4.10.1. The impacted element is an unknown function of the file /authentication/. This manipulation causes open redirect. It is possible to initiate the attack remotely. The exploit has been published and may be used. Upgrading to version 4.10.2 is sufficient to resolve this issue. The affected component should be upgraded. The vendor confirms that this is "[f]ixed in version 4.10.2". Furthermore, that "[b]ackports for older versions in process and will be out as soon as their respective CI pipelines complete."
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-15
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-15
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14692
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mayan-edms mayan_edms to 4.10.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-14692 is an unauthenticated Open Redirect vulnerability in Mayan EDMS versions up to 4.10.1. The issue arises because multiple authentication-related endpoints improperly handle user-controlled input from the URL fragment (#) and the "next" parameter without any validation or sanitization. This flaw is due to insecure client-side JavaScript that manipulates the window.location object based on attacker-controlled URL fragments, causing the application to redirect users to arbitrary external websites specified by an attacker. This can be exploited remotely by tricking users into clicking crafted malicious URLs, leading to redirects to phishing sites, malware distribution pages, or credential harvesting domains. The vulnerability is fixed in version 4.10.2. [1, 2, 3]

Impact Analysis

This vulnerability can impact you by allowing attackers to redirect your users to malicious external websites without your consent. Such redirects can facilitate phishing attacks, malware distribution, and credential harvesting by exploiting the trust users have in your domain. Since the vulnerability is unauthenticated and easy to exploit remotely, attackers can craft malicious URLs that appear legitimate but redirect victims to harmful sites, potentially compromising user security and damaging your organization's reputation. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by testing the affected Mayan EDMS endpoints for open redirect behavior. You can try accessing URLs with crafted parameters or fragments that include external URLs to see if the system redirects to those external sites. For example, testing URLs like `/authentication/login/#https://evil.com` or `/authentication/login/?next=/search/advanced/#https://evil.com` and observing if the application redirects to the external domain indicates the presence of the vulnerability. Using tools like curl or wget to send requests to these endpoints and checking the HTTP response headers for redirection can help detect the issue. Example command: `curl -I 'http://<target>/authentication/login/#https://evil.com'` and check if the Location header points to an external domain. [1, 2]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade Mayan EDMS to version 4.10.2, where the issue has been fixed by the vendor. If upgrading immediately is not possible, consider restricting access to the affected authentication endpoints or implementing additional input validation and sanitization on URL fragments and parameters to prevent open redirects. Monitoring for suspicious redirect activity and educating users about phishing risks can also help reduce impact until the patch is applied. [3, 4]

Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14692. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart