Skip to main content

Ecomplaint EUVDEUVD-2026-13130

| CVE-2026-32869 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-19 cisa-cg
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
10.2.0.0
EUVD ID Assigned
Mar 19, 2026 - 16:00 euvd
EUVD-2026-13130
Analysis Generated
Mar 19, 2026 - 16:00 vuln.today
CVE Published
Mar 19, 2026 - 15:49 nvd
MEDIUM 5.1

DescriptionCVE.org

OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of the "Name of Organization" field when filling out case information. An authenticated attacker can inject an XSS payload which is executed in the context of a victim's session when they visit the case information page.

AnalysisAI

This vulnerability is a stored/reflected cross-site scripting (XSS) flaw in OPEXUS eComplaint and eCASE that allows authenticated attackers to inject malicious JavaScript into the 'Name of Organization' field during case creation. When a victim views the affected case information page, the unvalidated payload executes in their browser session, potentially leading to session hijacking, credential theft, or unauthorized actions. With a CVSS score of 5.5 (medium severity) requiring low attack complexity and user interaction, this represents a meaningful risk to authenticated users, though the requirement for prior authentication and user interaction limits its immediate exploitability.

Technical ContextAI

The vulnerability stems from improper input sanitization in the case information form processing logic, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). OPEXUS eComplaint (CPE: cpe:2.3:a:opexus:ecomplaint:*:*:*:*:*:*:*:*) and eCASE (CPE: cpe:2.3:a:opexus:ecase:*:*:*:*:*:*:*:*) fail to properly escape or sanitize user-supplied data before rendering it in the DOM context. The 'Name of Organization' field accepts arbitrary input that is later reflected or stored in case detail pages without HTML entity encoding or content security policy enforcement, allowing script execution in the victim's security context.

RemediationAI

Upgrade OPEXUS eComplaint and eCASE to version 10.2.0.0 or later immediately. As an interim mitigation, restrict network access to case management interfaces to trusted IP ranges, disable or restrict authentication for low-privilege accounts, and implement a Web Application Firewall (WAF) with rules to detect and block XSS payloads in form submissions. Additionally, enforce a strict Content Security Policy (CSP) header to prevent inline script execution even if injection succeeds. Users should review case records created by untrusted sources and consider temporary disabling of case information sharing pending patch deployment.

Share

EUVD-2026-13130 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy