Description
OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in a user profile. An authenticated attacker can inject parts of an XSS payload in their first and last name fields. The payload is executed when the user's full name is rendered. The attacker can run script in the context of a victim's session.
Published: 2026-03-19
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

A flaw in OPEXUS eComplaint and eCASE allows an authenticated user to insert malicious script fragments into their first or last name fields. When other users view the name, the attackers’ code executes in the victim’s browser, enabling the attacker to run scripts with the victim’s session privileges. This can lead to unauthorized data access, session hijacking, or additional malicious payloads.

Affected Systems

The exploit applies to OPEXUS eComplaint and eCASE systems running versions older than 10.2.0.0 where name fields are rendered without proper sanitation. Any instance with unescaped first or last name display is affected.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, while the EPSS score below 1 percent denotes a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack requires user authentication; an attacker updates their own profile, injects code, and later causes it to run when the profile is displayed to another user. Successful exploitation can compromise confidentiality, integrity, or authorization within the victim’s session.

Generated by OpenCVE AI on March 30, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑released patch or upgrade to version 10.2.0.0 or newer.
  • Verify installation by confirming the application version or contacting OPEXUS support.

Generated by OpenCVE AI on March 30, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Opexustech
Opexustech ecase Ecomplaint
CPEs cpe:2.3:a:opexustech:ecase_ecomplaint:*:*:*:*:*:*:*:*
Vendors & Products Opexustech
Opexustech ecase Ecomplaint

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Opexus
Opexus ecase
Vendors & Products Opexus
Opexus ecase

Thu, 19 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in a user profile. An authenticated attacker can inject parts of an XSS payload in their first and last name fields. The payload is executed when the user's full name is rendered. The attacker can run script in the context of a victim's session.
Title OPEXUS eComplaint and eCase stored XSS via profile first and last name
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Opexus Ecase
Opexustech Ecase Ecomplaint
cve-icon MITRE

Status: PUBLISHED

Assigner: cisa-cg

Published:

Updated: 2026-03-19T18:21:50.981Z

Reserved: 2026-03-16T20:57:12.860Z

Link: CVE-2026-32866

cve-icon Vulnrichment

Updated: 2026-03-19T18:21:42.916Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T16:16:03.460

Modified: 2026-03-30T13:11:22.080

Link: CVE-2026-32866

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:59:07Z

Weaknesses