Ecase Audit
Monthly
Stored cross-site scripting in OPEXUS eCASE Audit enables authenticated users to inject malicious JavaScript through the "Estimated Staff Hours" comment field, which executes when other users access the Project Cost tab. This allows attackers with valid credentials to compromise other users' sessions and perform unauthorized actions within the application. No patch is currently available for this vulnerability.
Stored cross-site scripting in OPEXUS eCASE Audit's Project Setup functionality allows authenticated users to inject malicious JavaScript into the "A or SIC Number" field that executes in other users' browsers when they view the project. An attacker with valid credentials can exploit this to steal session tokens, perform unauthorized actions, or compromise data for all project viewers. No patch is currently available.
OPEXUS eCASE Audit's Document Check Out feature contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious JavaScript into comments, which executes in the browsers of other users viewing the Action History Log. This could enable attackers with valid credentials to steal session tokens, perform unauthorized actions, or compromise other users' accounts. No patch is currently available for affected installations.
OPEXUS eCASE Audit contains an access control bypass that allows authenticated users to circumvent administrative restrictions by manipulating client-side JavaScript or crafting direct HTTP requests to re-enable disabled functions and buttons. This vulnerability affects eCASE Platform versions prior to 11.14.1.0 and could enable attackers to perform unauthorized actions that administrators have explicitly blocked. No patch is currently available for affected deployments.
Stored cross-site scripting in OPEXUS eCASE Audit enables authenticated users to inject malicious JavaScript through the "Estimated Staff Hours" comment field, which executes when other users access the Project Cost tab. This allows attackers with valid credentials to compromise other users' sessions and perform unauthorized actions within the application. No patch is currently available for this vulnerability.
Stored cross-site scripting in OPEXUS eCASE Audit's Project Setup functionality allows authenticated users to inject malicious JavaScript into the "A or SIC Number" field that executes in other users' browsers when they view the project. An attacker with valid credentials can exploit this to steal session tokens, perform unauthorized actions, or compromise data for all project viewers. No patch is currently available.
OPEXUS eCASE Audit's Document Check Out feature contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious JavaScript into comments, which executes in the browsers of other users viewing the Action History Log. This could enable attackers with valid credentials to steal session tokens, perform unauthorized actions, or compromise other users' accounts. No patch is currently available for affected installations.
OPEXUS eCASE Audit contains an access control bypass that allows authenticated users to circumvent administrative restrictions by manipulating client-side JavaScript or crafting direct HTTP requests to re-enable disabled functions and buttons. This vulnerability affects eCASE Platform versions prior to 11.14.1.0 and could enable attackers to perform unauthorized actions that administrators have explicitly blocked. No patch is currently available for affected deployments.