CVE-2025-2195

Name of the Vulnerable Software and Affected Versions: MRCMS version 3.1.2

Description: A problem was found in the rename function of the /admin/file/rename.do file in the org.marker.mushroom.controller.FileController component. The manipulation of the name/path argument leads to cross-site scripting attacks. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond.

Recommendations: For MRCMS version 3.1.2, as a temporary workaround, consider disabling the rename function of the /admin/file/rename.do file until a patch is available. Restrict access to the org.marker.mushroom.controller.FileController component to minimize the risk of exploitation. Avoid using the name/path argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.