va-25-280-01
Vulnerability from csaf_cisa
Published
2025-10-07 22:50
Modified
2025-10-07 22:50
Summary
OPEXUS FOIAXpress stored XSS
Notes
Legal Notice
All information products included in [https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white](https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white) are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see [https://us-cert.cisa.gov/tlp/](https://us-cert.cisa.gov/tlp/).
Countries and Areas Deployed
Worldwide
Critical Infrastructure Sectors
Information Technology
Risk Evaluation
OPEXUS FOIAXpress before 11.13.3.0 contains multiple stored cross-site-scripting vulnerabilities. These vulnerabilities allow an authenticated administrative user to inject JavaScript or other content into various components of FOIAXpress. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data.
Recommended Practices
Update to FOIAXpress 11.13.3.0 or later.
Company Headquarters Location
United States
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "en-US",
"notes": [
{
"category": "legal_disclaimer",
"text": "All information products included in [https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white](https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white) are provided \\\"as is\\\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see [https://us-cert.cisa.gov/tlp/](https://us-cert.cisa.gov/tlp/).",
"title": "Legal Notice"
},
{
"category": "other",
"text": "Worldwide",
"title": "Countries and Areas Deployed"
},
{
"category": "other",
"text": "Information Technology",
"title": "Critical Infrastructure Sectors"
},
{
"category": "summary",
"text": "OPEXUS FOIAXpress before 11.13.3.0 contains multiple stored cross-site-scripting vulnerabilities. These vulnerabilities allow an authenticated administrative user to inject JavaScript or other content into various components of FOIAXpress. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data.",
"title": "Risk Evaluation"
},
{
"category": "general",
"text": "Update to FOIAXpress 11.13.3.0 or later.",
"title": "Recommended Practices"
},
{
"category": "other",
"text": "United States",
"title": "Company Headquarters Location"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "https://www.cisa.gov/report",
"issuing_authority": "CISA",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "Vulnerability Advisory VA-25-280-01 CSAF",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-280-01.json"
}
],
"title": "OPEXUS FOIAXpress stored XSS",
"tracking": {
"current_release_date": "2025-10-07T22:50:29Z",
"generator": {
"engine": {
"name": "VINCE-NT",
"version": "1.10.0"
}
},
"id": "VA-25-280-01",
"initial_release_date": "2025-10-07T22:50:29Z",
"revision_history": [
{
"date": "2025-10-07T22:50:29Z",
"number": "1.0.0",
"summary": "Initial publication"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c11.13.3.0",
"product": {
"name": "OPEXUS FOIAXpress \u003c11.13.3.0",
"product_id": "CSAFPID-0001"
}
},
{
"category": "product_version",
"name": "11.13.3.0",
"product": {
"name": "OPEXUS FOIAXpress 11.13.3.0",
"product_id": "CSAFPID-0002"
}
}
],
"category": "product_name",
"name": "FOIAXpress"
}
],
"category": "vendor",
"name": "OPEXUS"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Aaron M. Ramirez"
],
"organization": "United States Department of Justice"
},
{
"names": [
"Wesley Cuffee"
],
"organization": "United States Department of Justice"
}
],
"cve": "CVE-2025-61996",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "summary",
"text": "OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content within the Annual Report Template. Injected content is executed in the context of other users when they generate an Annual Report. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data.",
"title": "Description"
},
{
"category": "details",
"text": "SSVCv2/E:N/A:N/T:P/2025-10-07T22:15:35Z/",
"title": "SSVC"
}
],
"product_status": {
"fixed": [
"CSAFPID-0002"
],
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "Release Notes",
"url": "https://docs.opexustech.com/docs/foiaxpress/11.13.0/FOIAXpress_Release_Notes_11.13.3.0.pdf"
},
{
"category": "external",
"summary": "CVE-2025-61996",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61996"
},
{
"category": "external",
"summary": "VA-25-280-01",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-280-01.json"
}
],
"release_date": "2025-10-07T00:00:00Z",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-09-15T00:00:00Z",
"details": "Fixed in 11.13.3.0.",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://docs.opexustech.com/docs/foiaxpress/11.13.0/FOIAXpress_Release_Notes_11.13.3.0.pdf"
},
{
"category": "vendor_fix",
"date": "2025-09-15T00:00:00Z",
"details": "Fixed in 11.13.3.0.",
"product_ids": [
"CSAFPID-0002"
],
"url": "https://docs.opexustech.com/docs/foiaxpress/11.13.0/FOIAXpress_Release_Notes_11.13.3.0.pdf"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "OPEXUS FOIAXpress stored XSS via annual report template"
},
{
"acknowledgments": [
{
"names": [
"Aaron M. Ramirez"
],
"organization": "United States Department of Justice"
},
{
"names": [
"Wesley Cuffee"
],
"organization": "United States Department of Justice"
}
],
"cve": "CVE-2025-61997",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "summary",
"text": "OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content within the Annual Report Enterprise Banner image upload field. Injected content is executed in the context of other users when they generate an Annual Report. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data.",
"title": "Description"
},
{
"category": "details",
"text": "SSVCv2/E:N/A:N/T:P/2025-10-07T22:25:16Z/",
"title": "SSVC"
}
],
"product_status": {
"fixed": [
"CSAFPID-0002"
],
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "Release Notes",
"url": "https://docs.opexustech.com/docs/foiaxpress/11.13.0/FOIAXpress_Release_Notes_11.13.3.0.pdf"
},
{
"category": "external",
"summary": "VA-25-280-01",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-280-01.json"
},
{
"category": "external",
"summary": "CVE-2025-61997",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61997"
}
],
"release_date": "2025-10-07T00:00:00Z",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-09-15T00:00:00Z",
"details": "Fixed in 11.13.3.0.",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://docs.opexustech.com/docs/foiaxpress/11.13.0/FOIAXpress_Release_Notes_11.13.3.0.pdf"
},
{
"category": "vendor_fix",
"date": "2025-09-15T00:00:00Z",
"details": "Fixed in 11.13.3.0.",
"product_ids": [
"CSAFPID-0002"
],
"url": "https://docs.opexustech.com/docs/foiaxpress/11.13.0/FOIAXpress_Release_Notes_11.13.3.0.pdf"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "OPEXUS FOIAXpress stored XSS via banner image"
},
{
"acknowledgments": [
{
"names": [
"Aaron M. Ramirez"
],
"organization": "United States Department of Justice"
},
{
"names": [
"Wesley Cuffee"
],
"organization": "United States Department of Justice"
}
],
"cve": "CVE-2025-61998",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "summary",
"text": "OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content as a URL within the Technical Support Hyperlink Manager. Injected content is executed in the context of other users when they click the malicious link. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data.",
"title": "Description"
},
{
"category": "details",
"text": "SSVCv2/E:N/A:N/T:P/2025-10-07T22:30:03Z/",
"title": "SSVC"
}
],
"product_status": {
"fixed": [
"CSAFPID-0002"
],
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "Release Notes",
"url": "https://docs.opexustech.com/docs/foiaxpress/11.13.0/FOIAXpress_Release_Notes_11.13.3.0.pdf"
},
{
"category": "external",
"summary": "CVE-2025-61998",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61998"
},
{
"category": "external",
"summary": "VA-25-280-01",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-280-01.json"
}
],
"release_date": "2025-10-07T00:00:00Z",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-09-15T00:00:00Z",
"details": "Fixed in 11.13.3.0.",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://docs.opexustech.com/docs/foiaxpress/11.13.0/FOIAXpress_Release_Notes_11.13.3.0.pdf"
},
{
"category": "vendor_fix",
"date": "2025-09-15T00:00:00Z",
"details": "Fixed in 11.13.3.0.",
"product_ids": [
"CSAFPID-0002"
],
"url": "https://docs.opexustech.com/docs/foiaxpress/11.13.0/FOIAXpress_Release_Notes_11.13.3.0.pdf"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "OPEXUS FOIAXpress stored XSS via Hyperlink Manager"
},
{
"acknowledgments": [
{
"names": [
"Aaron M. Ramirez"
],
"organization": "United States Department of Justice"
},
{
"names": [
"Wesley Cuffee"
],
"organization": "United States Department of Justice"
}
],
"cve": "CVE-2025-61999",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "summary",
"text": "OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to upload JavaScript or other content embedded in an SVG image used as a logo. Injected content is executed in the context of other users when they view affected pages. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data.",
"title": "Description"
},
{
"category": "details",
"text": "SSVCv2/E:N/A:N/T:P/2025-10-07T22:40:56Z/",
"title": "SSVC"
}
],
"product_status": {
"fixed": [
"CSAFPID-0002"
],
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "Release Notes",
"url": "https://docs.opexustech.com/docs/foiaxpress/11.13.0/FOIAXpress_Release_Notes_11.13.3.0.pdf"
},
{
"category": "external",
"summary": "VA-25-280-01",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-280-01.json"
},
{
"category": "external",
"summary": "CVE-2025-61999",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61999"
}
],
"release_date": "2025-10-07T00:00:00Z",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-09-15T00:00:00Z",
"details": "Fixed in 11.13.3.0.",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://docs.opexustech.com/docs/foiaxpress/11.13.0/FOIAXpress_Release_Notes_11.13.3.0.pdf"
},
{
"category": "vendor_fix",
"date": "2025-09-15T00:00:00Z",
"details": "Fixed in 11.13.3.0.",
"product_ids": [
"CSAFPID-0002"
],
"url": "https://docs.opexustech.com/docs/foiaxpress/11.13.0/FOIAXpress_Release_Notes_11.13.3.0.pdf"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "OPEXUS FOIAXpress stored XSS via logo image"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…