CVE-2025-61997
📋 TL;DR
OPEXUS FOIAXpress versions before 11.13.3.0 contain a stored cross-site scripting (XSS) vulnerability in the Annual Report Enterprise Banner image upload field. Administrative users can inject malicious JavaScript that executes when other users generate Annual Reports, potentially allowing session hijacking, credential theft, or data exfiltration. This affects all organizations using vulnerable versions of FOIAXpress.
💻 Affected Systems
- OPEXUS FOIAXpress
📦 What is this software?
Foiaxpress by Opexustech
⚠️ Risk & Real-World Impact
Worst Case
Administrative user steals session cookies and credentials of other users, gains full access to their accounts, exfiltrates sensitive FOIA data, and potentially compromises the entire FOIAXpress system.
Likely Case
Administrative user with malicious intent steals session cookies of targeted users, accesses their accounts without authorization, and views or modifies FOIA request data.
If Mitigated
Limited impact due to strict administrative access controls, regular monitoring, and prompt patch application.
🎯 Exploit Status
Exploitation requires administrative access to the FOIAXpress system. The attacker must have knowledge of the vulnerable field and ability to upload malicious content.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.13.3.0
Vendor Advisory: https://docs.opexustech.com/docs/foiaxpress/11.13.0/FOIAXpress_Release_Notes_11.13.3.0.pdf
Restart Required: No
Instructions:
1. Download FOIAXpress version 11.13.3.0 from OPEXUS support portal. 2. Backup current installation and database. 3. Run the upgrade installer following OPEXUS documentation. 4. Verify successful upgrade and functionality.
🔧 Temporary Workarounds
Restrict Administrative Access
allLimit administrative accounts to only trusted personnel and implement strict access controls.
Input Validation Enhancement
allImplement additional input validation on the Annual Report Enterprise Banner field to reject JavaScript content.
🧯 If You Can't Patch
- Implement strict monitoring of administrative user activities and Annual Report generation logs.
- Apply Content Security Policy (CSP) headers to mitigate XSS impact if supported by the application.
🔍 How to Verify
Check if Vulnerable:
Check FOIAXpress version in administration panel. If version is below 11.13.3.0, the system is vulnerable.Check Version:
Check version in FOIAXpress web interface under Administration > System InformationVerify Fix Applied:
After upgrading to 11.13.3.0, verify version in administration panel and test the Annual Report Enterprise Banner field for XSS payload rejection.📡 Detection & Monitoring
Log Indicators:
- Unusual administrative user activity in Annual Report module
- Multiple failed XSS payload attempts in web server logs
- Unexpected JavaScript content in Annual Report generation requests
Network Indicators:
- Unusual outbound connections from FOIAXpress server during Annual Report generation
- Suspicious data exfiltration patterns
SIEM Query:
source="foiaxpress_logs" AND (event="AnnualReportBannerUpload" OR event="AnnualReportGenerate") AND (message="*script*" OR message="*javascript*")