CVE-2025-54834

Summary

OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows an unauthenticated, remote attacker to query the /App/CreateRequest.aspx endpoint to check for the existence of valid usernames. There are no rate-limiting mechanisms in place.

Affected Software

VendorProductVersion RangeStatus
OPEXUSFOIAXpress Public Access Link (PAL)11.1.0 < 11.12.3.0affected
OPEXUSFOIAXpress Public Access Link (PAL)11.12.3.0unaffected

Weaknesses

  • CWE-204: CWE-204 Observable Response Discrepancy

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References