Description
OPEXUS eComplaint and eCASE before version 10.1.0.0 include the secret verification code in the HTTP response when requesting a password reset via 'ForcePasswordReset.aspx'. An attacker who knows an existing user's email address can reset the user's password and security questions. Existing security questions are not asked during the process.
Published: 2026-03-19
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Account Access
Action: Immediate Patch
AI Analysis

Impact

OPEXUS eComplaint and eCASE leak a secret verification code in the HTTP response when an account password reset is requested through the ForcePasswordReset.aspx endpoint. An attacker who knows a user’s email address can use this code to reset the user’s password and overwrite the security questions without being prompted for the existing questions. This flaw exposes sensitive information (CWE‑200) and allows unauthorized password reset (CWE‑640), resulting in full account takeover and compromise of confidentiality, integrity, and trust for the affected users.

Affected Systems

The vulnerability affects OPEXUS eCase and eComplaint prior to version 10.1.0.0. Any installation of these products that has not been upgraded beyond that release is susceptible.

Risk and Exploitability

The high CVSS score of 9.2 signals a critical impact, but the EPSS score of less than 1% indicates low likelihood of exploitation at this time and the issue is not listed in CISA’s Known Exploited Vulnerabilities catalog. The attack vector is inferred to be remote, via the web interface, as the vulnerable endpoint is an HTTP service. An attacker would need the target email address, which may be leaked or discovered through other means, to exploit the flaw.

Generated by OpenCVE AI on March 30, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor-supplied patch or upgrade to OPEXUS eCase and eComplaint version 10.1.0.0 or later.

Generated by OpenCVE AI on March 30, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Opexustech
Opexustech ecase Ecomplaint
CPEs cpe:2.3:a:opexustech:ecase_ecomplaint:*:*:*:*:*:*:*:*
Vendors & Products Opexustech
Opexustech ecase Ecomplaint

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Opexus
Opexus ecase
Opexus ecomplaint
Vendors & Products Opexus
Opexus ecase
Opexus ecomplaint

Thu, 19 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description OPEXUS eComplaint and eCASE before version 10.1.0.0 include the secret verification code in the HTTP response when requesting a password reset via 'ForcePasswordReset.aspx'. An attacker who knows an existing user's email address can reset the user's password and security questions. Existing security questions are not asked during the process.
Title OPEXUS eComplaint and eCase insecure password reset
Weaknesses CWE-200
CWE-640
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Opexus Ecase Ecomplaint
Opexustech Ecase Ecomplaint
cve-icon MITRE

Status: PUBLISHED

Assigner: cisa-cg

Published:

Updated: 2026-03-19T18:20:51.170Z

Reserved: 2026-03-16T20:57:07.192Z

Link: CVE-2026-32865

cve-icon Vulnrichment

Updated: 2026-03-19T18:20:40.656Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T16:16:03.260

Modified: 2026-03-30T13:12:06.900

Link: CVE-2026-32865

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:59:08Z

Weaknesses