Description
OPEXUS eComplaint before version 10.1.0.0 allows an unauthenticated attacker to obtain or guess an existing case number and upload arbitrary files via 'Portal/EEOC/DocumentUploadPub.aspx'. Users would see these unexpected files in cases. Uploading a large number of files could consume storage.
Published: 2026-03-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated File Upload
Action: Immediate Patch
AI Analysis

Impact

Prior to version 10.1.0.0, the OPEXUS eComplaint application permits an attacker who does not need authentication to discover existing case numbers and then upload arbitrary files through the Portal/EEOC/DocumentUploadPub.aspx page. The uploaded files appear to legitimate users within the case folder and can be used to display unexpected content or to consume server storage when a large number of files are uploaded. The vulnerability is tied to improper handling of user input and lack of authorization checks as described by CWEs 425 and 639.

Affected Systems

Any organization that runs OPEXUS eComplaint from OPEXUS Tech and uses a version older than 10.1.0.0 is affected. The vendor product name is OPEXUS eComplaint and all releases before 10.1.0.0 lack the necessary controls to validate the case identifier before accepting an upload.

Risk and Exploitability

With a CVSS score of 5.3 the issue is considered moderate severity. The EPSS score of less than 1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog, meaning no known public exploits have been documented. Attackers still require knowledge or ability to guess a valid case number, but if they succeed they can place malicious files or exhaust storage. The overall risk is moderate but mitigated by the need for case discovery and the low exploit prevalence.

Generated by OpenCVE AI on March 30, 2026 at 15:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OPEXUS eComplaint product to version 10.1.0.0 or later to apply the vendor’s fix.
  • Block unauthenticated access to the /Portal/EEOC/DocumentUploadPub.aspx endpoint through a web‑application firewall or network access controls.
  • Regularly scan the document repository for unexpected files and remove them when found.
  • Limit the size or number of files that can be uploaded to prevent storage exhaustion.
  • Monitor the vendor’s website for future patches and apply them promptly.

Generated by OpenCVE AI on March 30, 2026 at 15:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Opexustech
Opexustech ecase Ecomplaint
CPEs cpe:2.3:a:opexustech:ecase_ecomplaint:*:*:*:*:*:*:*:*
Vendors & Products Opexustech
Opexustech ecase Ecomplaint

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Opexus
Opexus ecomplaint
Vendors & Products Opexus
Opexus ecomplaint

Thu, 19 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description OPEXUS eComplaint before version 10.1.0.0 allows an unauthenticated attacker to obtain or guess an existing case number and upload arbitrary files via 'Portal/EEOC/DocumentUploadPub.aspx'. Users would see these unexpected files in cases. Uploading a large number of files could consume storage.
Title OPEXUS eComplaint unauthenticated file upload
Weaknesses CWE-425
CWE-639
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Opexus Ecomplaint
Opexustech Ecase Ecomplaint
cve-icon MITRE

Status: PUBLISHED

Assigner: cisa-cg

Published:

Updated: 2026-03-19T18:22:21.300Z

Reserved: 2026-03-16T20:57:29.387Z

Link: CVE-2026-32867

cve-icon Vulnrichment

Updated: 2026-03-19T18:22:16.303Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T16:16:03.640

Modified: 2026-03-30T13:10:38.170

Link: CVE-2026-32867

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:59:06Z

Weaknesses