We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-54834

OPEXUS FOIAXpress Public Access Link (PAL) unauthenticated username enumeration



Description

OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows an unauthenticated, remote attacker to query the /App/CreateRequest.aspx endpoint to check for the existence of valid usernames. There are no rate-limiting mechanisms in place.

Reserved 2025-07-30 | Published 2025-07-31 | Updated 2025-07-31 | Assigner cisa-cg


MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-204 Observable Response Discrepancy

Product status

Default status
unknown

11.1.0 before 11.12.3.0
affected

11.12.3.0
unaffected

Credits

Nathan Spidle, CISA

References

raw.githubusercontent.com/...IT/white/2025/va-25-174-01.json (url)

www.cve.org/CVERecord?id=CVE-2025-54834 (url)

docs.opexustech.com/...OIAXpress_Release_notes_11.12.3.0.pdf (url)

cve.org (CVE-2025-54834)

nvd.nist.gov (CVE-2025-54834)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-54834

Support options

Helpdesk Chat, Email, Knowledgebase