CVE-2025-61997

4.3 MEDIUM
Published: October 08, 2025 Modified: October 22, 2025
View on NVD

Description

OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content within the Annual Report Enterprise Banner image upload field. Injected content is executed in the context of other users when they generate an Annual Report. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://docs.opexustech.com/docs/foiaxpress/11.13.0/FOIAXpress_Release_Notes_11.13.3.0.pdf
Source: 9119a7d8-5eab-497f-8521-727c672e3725
Release Notes
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-280-01.json
Source: 9119a7d8-5eab-497f-8521-727c672e3725
Third Party Advisory
https://www.cve.org/CVERecord?id=CVE-2025-61997
Source: 9119a7d8-5eab-497f-8521-727c672e3725
Third Party Advisory

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
4.3 / 10.0
EPSS (Exploit Probability)
0.0%
14th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-79

Affected Vendors

opexustech

Related CVEs

CVE-2025-69261 N/A
CVE-2025-69257 6.7
CVE-2025-69210 N/A
CVE-2025-66823 N/A
CVE-2025-50343 N/A