Description
OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment in the "Estimated Staff Hours" field. The JavaScript is executed whenever another user visits the Project Cost tab. Fixed in OPEXUS eCASE Audit 11.14.2.0.
Published: 2026-01-08
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

Authenticated users can embed JavaScript into the "Estimated Staff Hours" comment. When another user opens the Project Cost tab, the script runs in their browser context. The vulnerability permits the attacker to steal session cookies, deface the application, or execute arbitrary actions under the victim’s user identity, compromising confidentiality and possibly integrity of data.

Affected Systems

The flaw affects OPEXUS eCASE Audit for any version released before 11.14.2.0. Users of the product must verify whether they are on a version earlier than the patched release.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate impact, while the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated session and the ability to edit the comment field, after which the malicious code runs in the context of any other user who views the affected tab. The attack is local to the application and does not involve remote code execution or network bypasses.

Generated by OpenCVE AI on April 18, 2026 at 07:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OPEXUS eCASE Audit 11.14.2.0 or later to remove the flaw.
  • Ensure that all user‑supplied comment fields are passed through a strict HTML sanitizer or are HTML‑escaped before rendering, thereby preventing unintended script execution (CWE‑79 mitigation).
  • Restrict or remove the Project Cost tab from users who do not require access to the "Estimated Staff Hours" field until the patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 07:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Opexustech
Opexustech ecase Audit
CPEs cpe:2.3:a:opexustech:ecase_audit:*:*:*:*:*:*:*:*
Vendors & Products Opexustech
Opexustech ecase Audit

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Opexus
Opexus ecase Audit
Vendors & Products Opexus
Opexus ecase Audit

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Description OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment in the "Estimated Staff Hours" field. The JavaScript is executed whenever another user visits the Project Cost tab. Fixed in OPEXUS eCASE Audit 11.14.2.0.
Title OPEXUS eCASE Audit Project Cost stored XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Opexus Ecase Audit
Opexustech Ecase Audit
cve-icon MITRE

Status: PUBLISHED

Assigner: cisa-cg

Published:

Updated: 2026-01-08T17:51:26.101Z

Reserved: 2026-01-06T21:52:08.252Z

Link: CVE-2026-22233

cve-icon Vulnrichment

Updated: 2026-01-08T17:51:22.879Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-08T18:16:00.220

Modified: 2026-02-05T19:23:24.787

Link: CVE-2026-22233

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:45:24Z

Weaknesses