Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
OPEXUS eComplaint and eCASE before version 10.1.0.0 include the secret verification code in the HTTP response when requesting a password reset via 'ForcePasswordReset.aspx'. An attacker who knows an existing user's email address can reset the user's password and security questions. Existing security questions are not asked during the process.
AnalysisAI
A critical authentication bypass vulnerability in OPEXUS eComplaint and eCASE applications allows unauthenticated attackers to take over any user account by exploiting improper exposure of password reset verification codes in HTTP responses. The vulnerability affects all versions before 10.1.0.0 and enables attackers who know a user's email address to reset passwords and security questions without any verification, granting full account access. With a CVSS score of 9.8 and requiring no authentication or user interaction, this represents a severe risk to organizations using these complaint and case management systems.
Technical ContextAI
The vulnerability occurs in the password reset functionality of OPEXUS eComplaint and eCASE web applications, specifically in the ForcePasswordReset.aspx page. According to the CPE data (cpe:2.3:a:opexus:ecomplaint:*:*:*:*:*:*:*:* and cpe:2.3:a:opexus:ecase:*:*:*:*:*:*:*:*), all versions prior to 10.1.0.0 are affected. The root cause is CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), where the application incorrectly includes secret verification codes directly in HTTP response bodies during the password reset process. This design flaw bypasses the intended security mechanism where verification codes should only be sent through out-of-band channels like email, allowing attackers to intercept and use these codes to complete unauthorized password resets.
RemediationAI
Organizations must immediately upgrade OPEXUS eComplaint and eCASE to version 10.1.0.0 or later, which addresses this critical authentication bypass vulnerability. Until patching is completed, implement compensating controls including disabling the ForcePasswordReset.aspx page if possible, implementing web application firewall rules to block access to password reset functionality, and monitoring authentication logs for suspicious password reset activities. Review the CISA CSAF advisory at https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json for additional guidance and consider resetting all user passwords after patching as accounts may have been compromised prior to remediation.
More in Ecomplaint
View allOPEXUS eComplaint versions before 10.1.0.0 allow unauthenticated attackers to enumerate case numbers and upload arbitrar
This vulnerability is a stored/reflected cross-site scripting (XSS) flaw in OPEXUS eComplaint and eCASE that allows auth
This is a stored cross-site scripting (XSS) vulnerability in OPEXUS eComplaint and eCASE platforms where the first and l
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13122