Description
OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript in the "A or SIC Number" field within the Project Setup functionality. The JavaScript is executed whenever another user views the project. Fixed in OPEXUS eCASE Audit 11.14.2.0.
Published: 2026-01-08
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

OPEXUS eCASE Audit allows an authenticated attacker to store malicious JavaScript in the 'A or SIC Number' field within the Project Setup functionality. When another user later views that project, the stored script executes in their browser. This flaw is a stored Cross‑Site Scripting vulnerability (CWE‑79).

Affected Systems

The vulnerability affects OPEXUS eCASE Audit deployments running any version earlier than 11.14.2.0. All users of the affected versions are susceptible until the product is upgraded.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity, while the EPSS score of less than 1% suggests a very low probability of exploitation. The flaw requires authentication and internal access to the Project Setup interface, making it most relevant to insiders or compromised accounts. Because it is not listed in the CISA KEV catalog, it is not currently a known widely exploited vulnerability.

Generated by OpenCVE AI on April 18, 2026 at 19:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OPEXUS eCASE Audit to version 11.14.2.0 or later to remediate the stored XSS flaw.
  • Implement input validation on the 'A or SIC Number' field to reject script tags and enforce a whitelist of allowed characters.
  • Restrict project setup permissions to the minimum user roles required to reduce the attack surface of the authenticated vector.

Generated by OpenCVE AI on April 18, 2026 at 19:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Opexustech
Opexustech ecase Audit
CPEs cpe:2.3:a:opexustech:ecase_audit:*:*:*:*:*:*:*:*
Vendors & Products Opexustech
Opexustech ecase Audit

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Opexus
Opexus ecase Audit
Vendors & Products Opexus
Opexus ecase Audit

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Description OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript in the "A or SIC Number" field within the Project Setup functionality. The JavaScript is executed whenever another user views the project. Fixed in OPEXUS eCASE Audit 11.14.2.0.
Title OPEXUS eCASE Audit Project Setup stored XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Opexus Ecase Audit
Opexustech Ecase Audit
cve-icon MITRE

Status: PUBLISHED

Assigner: cisa-cg

Published:

Updated: 2026-01-08T17:51:05.746Z

Reserved: 2026-01-06T21:51:53.790Z

Link: CVE-2026-22232

cve-icon Vulnrichment

Updated: 2026-01-08T17:51:01.031Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-08T18:16:00.063

Modified: 2026-02-05T19:24:46.560

Link: CVE-2026-22232

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:30:08Z

Weaknesses