Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in a user profile. An authenticated attacker can inject parts of an XSS payload in their first and last name fields. The payload is executed when the user's full name is rendered. The attacker can run script in the context of a victim's session.
AnalysisAI
This is a stored cross-site scripting (XSS) vulnerability in OPEXUS eComplaint and eCASE versions before 10.2.0.0, where user profile first and last name fields lack proper input sanitization. An authenticated attacker can inject malicious JavaScript payloads into these fields, which execute in the context of any victim's session when the attacker's full name is rendered, allowing theft of session tokens, credential harvesting, or account manipulation. The vulnerability carries a CVSS 5.5 (medium) score but poses real risk due to its authenticated-but-no-special-privileges requirement and user interaction dependency; exploitation is likely straightforward given the simplicity of XSS injection techniques.
Technical ContextAI
This vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic web application input validation flaw. The OPEXUS eComplaint and eCASE platform (identified via CPE cpe:2.3:a:opexus:ecase:*:*:*:*:*:*:*:*) stores user profile metadata in database fields that are later rendered in HTML contexts without encoding. When the application constructs user profile pages or displays full names in lists, tables, or notifications, the unescaped name fields allow browser-side script execution. This is a stored XSS variant rather than reflected XSS because the payload persists in the user profile record and affects all subsequent viewers, making it particularly dangerous in multi-user business applications.
RemediationAI
The primary remediation is to upgrade OPEXUS eComplaint and eCASE to version 10.2.0.0 or later, which includes proper input sanitization for user profile fields. Organizations should apply this patch immediately to all affected instances. Until patching is feasible, implement compensating controls by restricting access to the application through network segmentation (limit to trusted IP ranges), enforcing strict Content Security Policy (CSP) headers to block inline script execution, and disabling or restricting the ability for low-privilege users to edit profile fields. Additionally, conduct immediate audit of user profile records to identify any suspicious or malicious entries in first and last name fields. Enable HTTP-only and Secure cookie flags to reduce session hijacking impact. For detailed patch availability and deployment instructions, refer to the CISA advisory at https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json and contact OPEXUS support for version-specific guidance.
A critical authentication bypass vulnerability in OPEXUS eComplaint and eCASE applications allows unauthenticated attack
This vulnerability is a stored/reflected cross-site scripting (XSS) flaw in OPEXUS eComplaint and eCASE that allows auth
This is a stored cross-site scripting (XSS) vulnerability in OPEXUS eComplaint and eCASE platforms where the first and l
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13124