A reflected cross-site scripting (XSS) vulnerability exists in the web application. Unsanitized user input is directly reflected in the application's response without proper encoding, allowing attackers to inject and execute arbitrary JavaScript code in the victim's browser.

• Product: docuForm FSM Client
• Affected Versions: 11.11c
• Vulnerability Type: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
• Risk Level: High - CVSS 3.1: 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)
• Vendor URL: www.docuform.de
• Vendor acknowledged vulnerability: Yes
• CVE: CVE-2025-65417

Successful exploitation allows attackers to execute scripts in the victim's browser context with the application's privileges. This can lead to session hijacking by stealing cookies, theft of sensitive data like credentials or personal information, unauthorized actions on behalf of the user or redirection to malicious sites for malware distribution.