CVE-2025-61999 – OPEXUS FOIAXpress versions before 11.13.3.0 con... (How to Fix)

Q: What is the severity of CVE-2025-61999?

CVE-2025-61999 has a CVSS score of 4.3 (MEDIUM). OPEXUS FOIAXpress versions before 11.13.3.0 contain a stored cross-site scripting (XSS) vulnerability where administrative users can upload malicious SVG images containing JavaScript. When other users view pages displaying these images, the embedded code executes in their browser context, potentially allowing session hijacking or credential theft. This affects all organizations using vulnerable versions of FOIAXpress.

📋 TL;DR

OPEXUS FOIAXpress versions before 11.13.3.0 contain a stored cross-site scripting (XSS) vulnerability where administrative users can upload malicious SVG images containing JavaScript. When other users view pages displaying these images, the embedded code executes in their browser context, potentially allowing session hijacking or credential theft. This affects all organizations using vulnerable versions of FOIAXpress.

💻 Affected Systems

Products:

OPEXUS FOIAXpress

Versions: All versions before 11.13.3.0

Operating Systems: Windows Server (typical deployment)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrative privileges to upload SVG files. All deployments with admin users are vulnerable.

📦 What is this software?

Foiaxpress by Opexustech

View all CVEs affecting Foiaxpress →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrative user with malicious intent steals session cookies and credentials from all other users, gains full system access, exfiltrates sensitive FOIA data, and maintains persistent access.

🟠

Likely Case

Privileged insider or compromised admin account performs targeted session hijacking against specific users to access sensitive FOIA records and personal data.

🟢

If Mitigated

Limited impact due to strong access controls, admin user monitoring, and content security policies preventing successful exploitation.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires administrative access to upload malicious SVG files. Exploitation is straightforward once admin access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.13.3.0

Vendor Advisory: https://docs.opexustech.com/docs/foiaxpress/11.13.0/FOIAXpress_Release_Notes_11.13.3.0.pdf

Restart Required: No

Instructions:

1. Download FOIAXpress version 11.13.3.0 from OPEXUS support portal. 2. Backup current installation and database. 3. Run the upgrade installer following vendor documentation. 4. Verify successful upgrade by checking version number.

🔧 Temporary Workarounds

Restrict SVG Uploads

all

Configure web application firewall or server rules to block SVG file uploads to FOIAXpress.

Implement Content Security Policy

web

Add CSP headers to prevent inline script execution from uploaded images.

Content-Security-Policy: script-src 'self'

🧯 If You Can't Patch

Implement strict admin user monitoring and review all SVG uploads
Disable logo upload functionality entirely in administrative settings

🔍 How to Verify

Check if Vulnerable:

Check FOIAXpress version in administrative console. If version is below 11.13.3.0, system is vulnerable.

Check Version:

Check Help > About in FOIAXpress administrative interface

Verify Fix Applied:

After patching, verify version shows 11.13.3.0 or higher in administrative console.

📡 Detection & Monitoring

Log Indicators:

Unusual SVG file uploads by admin users
Multiple failed login attempts followed by SVG upload

Network Indicators:

Outbound connections to unknown domains following SVG file access

SIEM Query:

source="foiaxpress" AND (event="file_upload" AND file_extension=".svg")

📊 Metadata

CVE ID: CVE-2025-61999

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

CWE: CWE-79

EPSS Score: 0.06% exploit probability (18.3th percentile)

Published: October 8, 2025

Last Updated: October 22, 2025

🔗 References

https://docs.opexustech.com/docs/foiaxpress/11.13.0/FOIAXpress_Release_Notes_11.13.3.0.pdf Release Notes
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-280-01.json Third Party Advisory
https://www.cve.org/CVERecord?id=CVE-2025-61999 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-61999, you might also want to check these: