CVE-2025-14692
Open Redirect Vulnerability in Mayan EDMS Authentication Module
Publication date: 2025-12-15
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mayan-edms | mayan_edms | to 4.10.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-14692 is an unauthenticated Open Redirect vulnerability in Mayan EDMS versions up to 4.10.1. The issue arises because multiple authentication-related endpoints improperly handle user-controlled input from the URL fragment (#) and the "next" parameter without any validation or sanitization. This flaw is due to insecure client-side JavaScript that manipulates the window.location object based on attacker-controlled URL fragments, causing the application to redirect users to arbitrary external websites specified by an attacker. This can be exploited remotely by tricking users into clicking crafted malicious URLs, leading to redirects to phishing sites, malware distribution pages, or credential harvesting domains. The vulnerability is fixed in version 4.10.2. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to redirect your users to malicious external websites without your consent. Such redirects can facilitate phishing attacks, malware distribution, and credential harvesting by exploiting the trust users have in your domain. Since the vulnerability is unauthenticated and easy to exploit remotely, attackers can craft malicious URLs that appear legitimate but redirect victims to harmful sites, potentially compromising user security and damaging your organization's reputation. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the affected Mayan EDMS endpoints for open redirect behavior. You can try accessing URLs with crafted parameters or fragments that include external URLs to see if the system redirects to those external sites. For example, testing URLs like `/authentication/login/#https://evil.com` or `/authentication/login/?next=/search/advanced/#https://evil.com` and observing if the application redirects to the external domain indicates the presence of the vulnerability. Using tools like curl or wget to send requests to these endpoints and checking the HTTP response headers for redirection can help detect the issue. Example command: `curl -I 'http://<target>/authentication/login/#https://evil.com'` and check if the Location header points to an external domain. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade Mayan EDMS to version 4.10.2, where the issue has been fixed by the vendor. If upgrading immediately is not possible, consider restricting access to the affected authentication endpoints or implementing additional input validation and sanitization on URL fragments and parameters to prevent open redirects. Monitoring for suspicious redirect activity and educating users about phishing risks can also help reduce impact until the patch is applied. [3, 4]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.