Skip to main content

Ecomplaint EUVDEUVD-2026-13122

| CVE-2026-32865 CRITICAL
Information Exposure (CWE-200)
2026-03-19 cisa-cg
9.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:49 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
10.1.0.0
EUVD ID Assigned
Mar 19, 2026 - 16:00 euvd
EUVD-2026-13122
Analysis Generated
Mar 19, 2026 - 16:00 vuln.today
CVE Published
Mar 19, 2026 - 15:47 nvd
CRITICAL 9.2

DescriptionCVE.org

OPEXUS eComplaint and eCASE before version 10.1.0.0 include the secret verification code in the HTTP response when requesting a password reset via 'ForcePasswordReset.aspx'. An attacker who knows an existing user's email address can reset the user's password and security questions. Existing security questions are not asked during the process.

AnalysisAI

A critical authentication bypass vulnerability in OPEXUS eComplaint and eCASE applications allows unauthenticated attackers to take over any user account by exploiting improper exposure of password reset verification codes in HTTP responses. The vulnerability affects all versions before 10.1.0.0 and enables attackers who know a user's email address to reset passwords and security questions without any verification, granting full account access. With a CVSS score of 9.8 and requiring no authentication or user interaction, this represents a severe risk to organizations using these complaint and case management systems.

Technical ContextAI

The vulnerability occurs in the password reset functionality of OPEXUS eComplaint and eCASE web applications, specifically in the ForcePasswordReset.aspx page. According to the CPE data (cpe:2.3:a:opexus:ecomplaint:*:*:*:*:*:*:*:* and cpe:2.3:a:opexus:ecase:*:*:*:*:*:*:*:*), all versions prior to 10.1.0.0 are affected. The root cause is CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), where the application incorrectly includes secret verification codes directly in HTTP response bodies during the password reset process. This design flaw bypasses the intended security mechanism where verification codes should only be sent through out-of-band channels like email, allowing attackers to intercept and use these codes to complete unauthorized password resets.

RemediationAI

Organizations must immediately upgrade OPEXUS eComplaint and eCASE to version 10.1.0.0 or later, which addresses this critical authentication bypass vulnerability. Until patching is completed, implement compensating controls including disabling the ForcePasswordReset.aspx page if possible, implementing web application firewall rules to block access to password reset functionality, and monitoring authentication logs for suspicious password reset activities. Review the CISA CSAF advisory at https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json for additional guidance and consider resetting all user passwords after patching as accounts may have been compromised prior to remediation.

Share

EUVD-2026-13122 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy