Skip to main content

Ecomplaint CVE-2026-32868

| EUVDEUVD-2026-13128 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-19 cisa-cg
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
10.2.0.0
EUVD ID Assigned
Mar 19, 2026 - 16:00 euvd
EUVD-2026-13128
Analysis Generated
Mar 19, 2026 - 16:00 vuln.today
CVE Published
Mar 19, 2026 - 15:48 nvd
MEDIUM 5.1

DescriptionCVE.org

OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in the 'My Information' screen. An authenticated attacker can inject parts of an XSS payload in the first and last name fields. The payload is executed when the full name is rendered. The attacker can run script in the context of a victim's session.

AnalysisAI

This is a stored cross-site scripting (XSS) vulnerability in OPEXUS eComplaint and eCASE platforms where the first and last name fields in the 'My Information' screen fail to properly sanitize user input. An authenticated attacker can inject malicious JavaScript code into these fields, which executes in the context of victim sessions when the full name is rendered, allowing credential theft, session hijacking, or malicious actions on behalf of the victim. The CVSS 5.5 score reflects moderate risk (low integrity/confidentiality/availability impact) mitigated by authentication requirements and user interaction necessity, though the practical risk depends on deployment context and whether patches are available.

Technical ContextAI

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - 'Cross-site Scripting'), which represents a fundamental input validation and output encoding failure. The affected products—OPEXUS eComplaint and eCASE (confirmed via CPE cpe:2.3:a:opexus:ecomplaint and cpe:2.3:a:opexus:ecase)—fail to sanitize or encode the first and last name fields before storing and rendering them to users. Modern web applications should implement context-aware output encoding (HTML entity encoding for HTML context, JavaScript escaping for JS context) and input validation (allowlist of safe characters for name fields). The vulnerability is particularly concerning in complaint and case management systems where multiple users may view case records containing attacker-controlled name data, creating a wide exposure surface for XSS execution.

RemediationAI

Upgrade OPEXUS eComplaint and eCASE installations to version 10.2.0.0 or later, which contains proper input sanitization for the first and last name fields. This is the primary and recommended mitigation. Pending patch deployment, implement compensating controls: (1) apply strict Content Security Policy (CSP) headers to restrict script execution to trusted sources only; (2) configure Web Application Firewall (WAF) rules to detect and block common XSS patterns in HTTP requests targeting the 'My Information' endpoint; (3) limit access to case viewing functions to authorized personnel only via network segmentation or role-based access controls; (4) monitor application logs for suspicious name field submissions containing script tags or event handlers. Consult the CISA advisory (va-26-077-01) and CVE.org record for vendor-specific guidance and patch availability timelines.

Share

CVE-2026-32868 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy