Search
Search Results (8 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-61998 | 1 Opexus | 1 Foiaxpress | 2025-10-08 | 4.3 Medium |
| OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content as a URL within the Technical Support Hyperlink Manager. Injected content is executed in the context of other users when they click the malicious link. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data. | ||||
| CVE-2025-61999 | 1 Opexus | 1 Foiaxpress | 2025-10-08 | 4.3 Medium |
| OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to upload JavaScript or other content embedded in an SVG image used as a logo. Injected content is executed in the context of other users when they view affected pages. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data. | ||||
| CVE-2025-61996 | 1 Opexus | 1 Foiaxpress | 2025-10-08 | 4.3 Medium |
| OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content within the Annual Report Template. Injected content is executed in the context of other users when they generate an Annual Report. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data. | ||||
| CVE-2025-61997 | 1 Opexus | 1 Foiaxpress | 2025-10-08 | 4.3 Medium |
| OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content within the Annual Report Enterprise Banner image upload field. Injected content is executed in the context of other users when they generate an Annual Report. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data. | ||||
| CVE-2025-58462 | 2 Opexus, Opexustech | 2 Foiaxpress Pal, Foiaxpress Public Access Link | 2025-09-26 | 9.8 Critical |
| OPEXUS FOIAXpress Public Access Link (PAL) before version 11.13.1.0 allows SQL injection via SearchPopularDocs.aspx. A remote, unauthenticated attacker could read, write, or delete any content in the underlying database. | ||||
| CVE-2025-54832 | 1 Opexus | 1 Foiaxpress Public Access Link | 2025-09-12 | 4.3 Medium |
| OPEXUS FOIAXpress Public Access Link (PAL), version v11.1.0, allows an authenticated user to add entries to the list of states and territories. | ||||
| CVE-2025-54833 | 1 Opexus | 1 Foiaxpress Public Access Link | 2025-09-12 | 5.3 Medium |
| OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows attackers to bypass account-lockout and CAPTCHA protections. Unauthenticated remote attackers can more easily brute force passwords. | ||||
| CVE-2025-54834 | 1 Opexus | 1 Foiaxpress Public Access Link | 2025-09-12 | 5.3 Medium |
| OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows an unauthenticated, remote attacker to query the /App/CreateRequest.aspx endpoint to check for the existence of valid usernames. There are no rate-limiting mechanisms in place. | ||||
Page 1 of 1.