CVE-2025-2196

Name of the Vulnerable Software and Affected Versions: MRCMS version 3.1.2

Description: A vulnerability was found in the function upload of the file "/admin/file/upload.do" of the component org.marker.mushroom.controller.FileController. The manipulation of the argument path leads to cross-site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Recommendations: For MRCMS version 3.1.2, as a temporary workaround, consider disabling the upload function of the /admin/file/upload.do file until a patch is available. Restrict access to the org.marker.mushroom.controller.FileController component to minimize the risk of exploitation. Avoid using the path argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.