CVE-2025-61997 is an improper input neutralization vulnerability classified under CWE-79, commonly known as cross-site scripting (XSS), found in OPEXUS FOIAXpress prior to version 11.13.3.0. The flaw exists in the Annual Report Enterprise Banner image upload field, where an administrative user can inject arbitrary JavaScript or other executable content. When other users generate an Annual Report, the injected script executes within their browser context, effectively running with their privileges. This can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim user. The vulnerability requires administrative privileges to inject the malicious payload but does not require any user interaction for the payload to execute once the report is generated. The CVSS 4.8 score reflects a medium severity due to the need for high privileges to exploit and limited impact on availability and integrity. No patches or known exploits are currently documented, but the vulnerability poses a risk to confidentiality and user session integrity. The vulnerability is particularly concerning in environments where FOIAXpress is used to manage sensitive or public information requests, as it could allow an insider or compromised admin account to escalate attacks against other users.

For European organizations, especially public sector entities and information offices using FOIAXpress, this vulnerability could lead to unauthorized access to sensitive data, session hijacking, and potential data leakage. The ability for an administrative user to inject malicious scripts means insider threats or compromised admin accounts could exploit this vulnerability to escalate privileges or exfiltrate confidential information. This could undermine trust in public information systems and lead to regulatory compliance issues under GDPR due to unauthorized data exposure. The impact on availability is limited, but the confidentiality and integrity of user sessions and data are at risk. Organizations relying on FOIAXpress for managing Freedom of Information requests or public records could face reputational damage and operational disruption if exploited.

Organizations should immediately upgrade FOIAXpress to version 11.13.3.0 or later once available to remediate this vulnerability. Until a patch is applied, restrict administrative access to trusted personnel only and monitor admin activities closely for suspicious behavior. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Conduct regular audits of uploaded banner images and other inputs for injected scripts. Employ web application firewalls (WAFs) with rules targeting XSS payloads to detect and block malicious requests. Educate administrators on the risks of injecting untrusted content and enforce strict input validation and sanitization policies. Additionally, review session management practices to minimize the impact of potential session hijacking.