CVE-2025-61997 in FOIAXpress
Summary
by MITRE • 10/08/2025
OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content within the Annual Report Enterprise Banner image upload field. Injected content is executed in the context of other users when they generate an Annual Report. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/10/2025
This vulnerability exists within the OPEXUS FOIAXpress platform version 11.13.3.0 and earlier, specifically affecting the Annual Report Enterprise Banner image upload functionality. The flaw represents a classic cross-site scripting vulnerability that allows authenticated administrative users to inject malicious JavaScript code or other content into the banner upload field. This vulnerability falls under the CWE-79 category for Cross-Site Scripting, specifically targeting the server-side input validation mechanism that should have prevented such injection attempts. The security weakness stems from insufficient sanitization of user-supplied input during the image upload process, creating an execution path where malicious code can be stored and later executed in the context of other users who generate annual reports.
The operational impact of this vulnerability is severe and multifaceted, as it enables a privileged attacker to perform a wide range of malicious activities against the system's users. When other users generate annual reports, the injected JavaScript executes in their browser context, providing the attacker with the ability to steal session cookies, capture user credentials, or extract sensitive data from the victim's browser environment. This type of attack aligns with the ATT&CK technique T1531 for Account Access Removal and T1566 for Phishing, as it leverages the trust relationship between the application and its users to establish persistent access. The vulnerability essentially transforms the administrative account into a vector for broader compromise across all users who interact with the annual report generation functionality.
The exploitation process begins with an administrative user accessing the banner upload feature and submitting malicious content that contains JavaScript payload. This payload is stored server-side and executed whenever any user generates an annual report, creating a persistent attack vector that can be leveraged for extended periods. The vulnerability's severity is amplified by the fact that it requires only administrative privileges, which are often more elevated than typical user accounts. This makes the attack surface particularly concerning for organizations where administrative access is limited to a small number of trusted individuals. The execution context of the injected code allows for sophisticated attacks including but not limited to session hijacking, credential theft, data exfiltration, and potentially establishing a persistent backdoor through the compromised user sessions. Organizations should implement immediate mitigations including input validation, output encoding, and proper content sanitization to prevent such injection attacks.
This vulnerability demonstrates the critical importance of proper input validation and output encoding in web applications, particularly in enterprise platforms where administrative functions can have far-reaching security implications. The flaw represents a failure in the principle of least privilege and proper security controls around user input handling, creating a persistent threat that can be exploited across multiple user sessions. Organizations should consider implementing comprehensive security measures including regular vulnerability assessments, web application firewalls, and strict access controls to prevent such scenarios. The vulnerability also highlights the need for security awareness training for administrative users, as these accounts are often targeted for privilege escalation attacks. Proper implementation of CSP (Content Security Policy) headers and regular security audits can help detect and prevent similar injection vulnerabilities in the future.