CVE-2025-61999 is a cross-site scripting (XSS) vulnerability classified under CWE-79 affecting OPEXUS FOIAXpress versions prior to 11.13.3.0. The flaw arises because the application improperly neutralizes input during web page generation, specifically allowing an administrative user to upload SVG images containing embedded JavaScript or other executable content as logos. When other users access pages displaying these logos, the embedded scripts execute within their browser context. This can lead to session cookie theft, credential compromise, or unauthorized actions performed on behalf of the victim user. The vulnerability requires an attacker to have administrative privileges to upload the malicious SVG and requires victims to interact with the affected page, making exploitation more complex. The CVSS v3.1 base score is 4.3, reflecting a medium severity with network attack vector, low attack complexity, high privileges required, and user interaction needed. No public exploits are known at this time, but the vulnerability poses a risk especially in environments where multiple users access FOIAXpress and administrative controls are not tightly managed. The root cause is insufficient input sanitization and output encoding of SVG content uploaded as logos, allowing script injection and execution in other users’ browsers.

For European organizations, this vulnerability could lead to unauthorized access to sensitive information managed within FOIAXpress, including potentially confidential FOI (Freedom of Information) requests and responses. The ability for an administrative user to inject malicious scripts that execute in other users’ browsers risks session hijacking and credential theft, which could cascade into broader system compromise or data leakage. Given FOIAXpress’s use in managing information requests, exploitation could undermine trust, violate data protection regulations such as GDPR, and cause reputational damage. The requirement for administrative privileges limits the threat to insider threats or compromised admin accounts, but the impact on confidentiality, integrity, and availability of data remains significant. Organizations with multiple users accessing FOIAXpress are at higher risk, especially if administrative controls and monitoring are weak.

Organizations should immediately upgrade FOIAXpress to version 11.13.3.0 or later once available to apply the official fix. Until patched, restrict the ability to upload or change logo images to only highly trusted administrators and monitor all administrative activities closely. Implement strict input validation and sanitization on SVG uploads, disallowing embedded scripts or potentially executable content. Employ Content Security Policy (CSP) headers to limit script execution sources and reduce the impact of injected scripts. Conduct regular audits of uploaded images and web content for malicious code. Educate administrators on the risks of uploading untrusted SVG files and enforce multi-factor authentication to reduce the risk of compromised admin accounts. Finally, monitor logs for unusual user activity and access patterns that may indicate exploitation attempts.