A stored cross‑site scripting (XSS) vulnerability exists in dfm-menu_departments.php component due to improper neutralization of user‑controllable input before it is embedded into dynamically generated web pages. An authenticated attacker can inject arbitrary JavaScript code that is stored by the application and later rendered unsafely in the browser of other users.

• Product: docuForm FSM Server
• Affected Versions: 11.11c
• Vulnerability Type: CWE‑79: Improper Neutralization of Input During Web Page Generation (“Cross‑site Scripting”)
• Risk Level: High - CVSS 3.1: 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N)
• Vendor URL: www.docuform.de
• Vendor acknowledged vulnerability: Yes
• CVE: CVE-2025-61309

An attacker can exploit this vulnerability to inject and store malicious scripts within the application's data store, which are executed in the context of other users' sessions when the affected page is rendered. Successful exploitation facilitates the theft of sensitive session identifiers or personal user information, potentially leading to unauthorized account takeover, performance of unintended actions on behalf of the victim, or the modification of application.