Description
OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment within the Document Check Out functionality. The JavaScript is executed whenever another user views the Action History Log. Fixed in OPEXUS eCASE Platform 11.14.1.0.
Published: 2026-01-08
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS in Document Check Out
Action: Apply patch
AI Analysis

Impact

The vulnerability allows an authenticated attacker to embed JavaScript code in a comment when checking out a document. The script is executed every time another user opens the action history log, giving the attacker potential access to the victim’s session, cookies or other sensitive data on the client side. The weakness is a classic stored cross‑site scripting flaw and is listed as CWE‑79.

Affected Systems

All installations of OPEXUS eCASE Audit Platform with versions older than 11.14.1.0 are affected. The issue exists in the Document Check Out functionality available to any authenticated user in the platform.

Risk and Exploitability

With a CVSS score of 4.8 the vulnerability is of moderate severity. The EPSS score of less than 1% indicates a very low probability of exploitation in the wild, and the vulnerability is not yet listed in the CISA KEV catalog. Attackers would need a valid authenticated session to inject the payload, so the attack vector is any authenticated user. Nonetheless, the risk of a successful XSS attack remains if attackers gain legitimate access or target a low‑privilege user with elevated trust.

Generated by OpenCVE AI on April 18, 2026 at 16:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the OPEXUS eCASE Audit Platform to version 11.14.1.0 or later where the stored XSS bug is fixed.
  • If upgrading is not immediately possible, disable the Document Check Out or Action History Log functions for users who do not require them, and remove or sanitize any stored comments that may contain malicious scripts.
  • Implement a strong content security policy to restrict script execution and monitor for anomalous user‑agent activity that may indicate XSS exploitation.

Generated by OpenCVE AI on April 18, 2026 at 16:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Opexustech
Opexustech ecase Audit
CPEs cpe:2.3:a:opexustech:ecase_audit:*:*:*:*:*:*:*:*
Vendors & Products Opexustech
Opexustech ecase Audit

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Opexus
Opexus ecase Audit
Vendors & Products Opexus
Opexus ecase Audit

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Description OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment within the Document Check Out functionality. The JavaScript is executed whenever another user views the Action History Log. Fixed in OPEXUS eCASE Platform 11.14.1.0.
Title OPEXUS eCASE Audit Document Check Out stored XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Opexus Ecase Audit
Opexustech Ecase Audit
cve-icon MITRE

Status: PUBLISHED

Assigner: cisa-cg

Published:

Updated: 2026-01-08T17:50:43.361Z

Reserved: 2026-01-06T21:51:41.493Z

Link: CVE-2026-22231

cve-icon Vulnrichment

Updated: 2026-01-08T17:50:39.323Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-08T18:15:59.910

Modified: 2026-02-05T19:23:56.607

Link: CVE-2026-22231

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:45:05Z

Weaknesses