Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of the "Name of Organization" field when filling out case information. An authenticated attacker can inject an XSS payload which is executed in the context of a victim's session when they visit the case information page.
AnalysisAI
This vulnerability is a stored/reflected cross-site scripting (XSS) flaw in OPEXUS eComplaint and eCASE that allows authenticated attackers to inject malicious JavaScript into the 'Name of Organization' field during case creation. When a victim views the affected case information page, the unvalidated payload executes in their browser session, potentially leading to session hijacking, credential theft, or unauthorized actions. With a CVSS score of 5.5 (medium severity) requiring low attack complexity and user interaction, this represents a meaningful risk to authenticated users, though the requirement for prior authentication and user interaction limits its immediate exploitability.
Technical ContextAI
The vulnerability stems from improper input sanitization in the case information form processing logic, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). OPEXUS eComplaint (CPE: cpe:2.3:a:opexus:ecomplaint:*:*:*:*:*:*:*:*) and eCASE (CPE: cpe:2.3:a:opexus:ecase:*:*:*:*:*:*:*:*) fail to properly escape or sanitize user-supplied data before rendering it in the DOM context. The 'Name of Organization' field accepts arbitrary input that is later reflected or stored in case detail pages without HTML entity encoding or content security policy enforcement, allowing script execution in the victim's security context.
RemediationAI
Upgrade OPEXUS eComplaint and eCASE to version 10.2.0.0 or later immediately. As an interim mitigation, restrict network access to case management interfaces to trusted IP ranges, disable or restrict authentication for low-privilege accounts, and implement a Web Application Firewall (WAF) with rules to detect and block XSS payloads in form submissions. Additionally, enforce a strict Content Security Policy (CSP) header to prevent inline script execution even if injection succeeds. Users should review case records created by untrusted sources and consider temporary disabling of case information sharing pending patch deployment.
More in Ecomplaint
View allA critical authentication bypass vulnerability in OPEXUS eComplaint and eCASE applications allows unauthenticated attack
OPEXUS eComplaint versions before 10.1.0.0 allow unauthenticated attackers to enumerate case numbers and upload arbitrar
This is a stored cross-site scripting (XSS) vulnerability in OPEXUS eComplaint and eCASE platforms where the first and l
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13130