CVE-2025-65415: Session Fixation in docuFORM FSM Client

Apr 2026

Description

The application is vulnerable to session fixation because it does not generate a new session identifier after successful authentication. An attacker may preset a session ID and induce a victim to authenticate with it.

Details

Product: docuForm FSM Client
Affected Versions: 11.11c
Vulnerability Type: CWE-384: Session Fixation
Risk Level: Medium - CVSS 3.1: 5.4 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vendor URL: www.docuform.de
Vendor acknowledged vulnerability: Yes
CVE: CVE-2025-65415

Impact

Successful exploitation may allow an attacker to hijack a victim’s authenticated session, resulting in access to the application.

References

CVE-2025-65415
National Vulnerability Database CVE-2025-65415

Timeline

2025-10: Vulnerability reported to the vendor.
2025-11: Vendor published a fix for the issue.
2026-04: Information about the vulnerability is published.

Credits

Bastian Recktenwald (Bastian.Recktenwald@ZeroBreach.de)

Zurück zum Blog | Advisories