Nathan Spidle

**Name of the Vulnerable Software and Affected Versions** OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 **Description** An authenticated user can add entries to the list of states and territories. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 **Description** OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows attackers to bypass account-lockout and CAPTCHA protections. This allows unauthenticated remote attackers to more easily brute force passwords. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 **Description** OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows an unauthenticated, remote attacker to query the `/App/CreateRequest.aspx` endpoint to check for the existence of valid usernames. The system lacks rate-limiting mechanisms. **Recommendations** Apply measures to limit the rate of requests to the `/App/CreateRequest.aspx` endpoint. Implement authentication checks for access to the `/App/CreateRequest.aspx` endpoint.