CVE-2025-61997 is a cross-site scripting (XSS) vulnerability classified under CWE-79, affecting OPEXUS FOIAXpress versions prior to 11.13.3.0. The flaw arises from improper neutralization of input during web page generation, specifically in the Annual Report Enterprise Banner image upload field. An administrative user can inject arbitrary JavaScript or other executable content into this field. When other users generate or view the Annual Report, the injected script executes within their browser context, potentially allowing the attacker to perform unauthorized actions on behalf of those users. This includes stealing session cookies, capturing user credentials, or accessing sensitive data displayed in the application. The vulnerability requires the attacker to have administrative privileges to inject the malicious payload and relies on user interaction to trigger script execution. The CVSS 4.0 base score is 4.8 (medium severity), reflecting the network attack vector, low complexity, no required privileges beyond admin, and partial impact on confidentiality, integrity, and availability. No public exploits have been reported yet, but the vulnerability poses a risk especially in environments where multiple users access Annual Reports generated by FOIAXpress. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for mitigation.

For European organizations using OPEXUS FOIAXpress, particularly those managing public records or freedom of information requests, this vulnerability could lead to unauthorized access to sensitive data and compromise user accounts. The ability for an administrative user to inject malicious scripts that execute in other users' browsers threatens confidentiality by enabling session hijacking and credential theft. Integrity may be affected if attackers manipulate displayed data or perform unauthorized actions on behalf of users. Availability impact is limited but possible if attackers disrupt user sessions or application functionality. Given that exploitation requires administrative privileges, the threat is somewhat contained but still significant in environments with multiple administrators or insufficient privilege controls. The vulnerability could undermine trust in transparency and reporting systems, especially in government or public sector entities across Europe. Additionally, organizations subject to GDPR must consider the data breach implications and potential regulatory penalties if sensitive personal data is exposed.

1. Immediately restrict administrative privileges to trusted personnel and enforce strict access controls to minimize the risk of malicious input injection. 2. Implement input validation and sanitization on the Annual Report Enterprise Banner image upload field to neutralize any embedded scripts or executable content. 3. Apply Content Security Policy (CSP) headers to limit the execution of unauthorized scripts within the application context. 4. Monitor administrative actions and audit logs for suspicious activity related to banner image uploads or report generation. 5. Educate administrators on the risks of injecting untrusted content and enforce secure handling of upload fields. 6. If a patch becomes available from OPEXUS, prioritize its deployment across all affected systems. 7. Consider isolating the Annual Report generation environment or restricting report viewing to trusted networks or VPNs to reduce exposure. 8. Employ multi-factor authentication (MFA) for administrative accounts to reduce the risk of compromised credentials enabling exploitation.