Ecomplaint
Monthly
This vulnerability is a stored/reflected cross-site scripting (XSS) flaw in OPEXUS eComplaint and eCASE that allows authenticated attackers to inject malicious JavaScript into the 'Name of Organization' field during case creation. When a victim views the affected case information page, the unvalidated payload executes in their browser session, potentially leading to session hijacking, credential theft, or unauthorized actions. With a CVSS score of 5.5 (medium severity) requiring low attack complexity and user interaction, this represents a meaningful risk to authenticated users, though the requirement for prior authentication and user interaction limits its immediate exploitability.
This is a stored cross-site scripting (XSS) vulnerability in OPEXUS eComplaint and eCASE platforms where the first and last name fields in the 'My Information' screen fail to properly sanitize user input. An authenticated attacker can inject malicious JavaScript code into these fields, which executes in the context of victim sessions when the full name is rendered, allowing credential theft, session hijacking, or malicious actions on behalf of the victim. The CVSS 5.5 score reflects moderate risk (low integrity/confidentiality/availability impact) mitigated by authentication requirements and user interaction necessity, though the practical risk depends on deployment context and whether patches are available.
OPEXUS eComplaint versions before 10.1.0.0 allow unauthenticated attackers to enumerate case numbers and upload arbitrary files to the public document upload interface, potentially cluttering cases with malicious content and consuming server storage. The vulnerability requires user interaction but has no authentication requirements, affecting all instances running vulnerable versions with no available patch.
A critical authentication bypass vulnerability in OPEXUS eComplaint and eCASE applications allows unauthenticated attackers to take over any user account by exploiting improper exposure of password reset verification codes in HTTP responses. The vulnerability affects all versions before 10.1.0.0 and enables attackers who know a user's email address to reset passwords and security questions without any verification, granting full account access. With a CVSS score of 9.8 and requiring no authentication or user interaction, this represents a severe risk to organizations using these complaint and case management systems.
This vulnerability is a stored/reflected cross-site scripting (XSS) flaw in OPEXUS eComplaint and eCASE that allows authenticated attackers to inject malicious JavaScript into the 'Name of Organization' field during case creation. When a victim views the affected case information page, the unvalidated payload executes in their browser session, potentially leading to session hijacking, credential theft, or unauthorized actions. With a CVSS score of 5.5 (medium severity) requiring low attack complexity and user interaction, this represents a meaningful risk to authenticated users, though the requirement for prior authentication and user interaction limits its immediate exploitability.
This is a stored cross-site scripting (XSS) vulnerability in OPEXUS eComplaint and eCASE platforms where the first and last name fields in the 'My Information' screen fail to properly sanitize user input. An authenticated attacker can inject malicious JavaScript code into these fields, which executes in the context of victim sessions when the full name is rendered, allowing credential theft, session hijacking, or malicious actions on behalf of the victim. The CVSS 5.5 score reflects moderate risk (low integrity/confidentiality/availability impact) mitigated by authentication requirements and user interaction necessity, though the practical risk depends on deployment context and whether patches are available.
OPEXUS eComplaint versions before 10.1.0.0 allow unauthenticated attackers to enumerate case numbers and upload arbitrary files to the public document upload interface, potentially cluttering cases with malicious content and consuming server storage. The vulnerability requires user interaction but has no authentication requirements, affecting all instances running vulnerable versions with no available patch.
A critical authentication bypass vulnerability in OPEXUS eComplaint and eCASE applications allows unauthenticated attackers to take over any user account by exploiting improper exposure of password reset verification codes in HTTP responses. The vulnerability affects all versions before 10.1.0.0 and enables attackers who know a user's email address to reset passwords and security questions without any verification, granting full account access. With a CVSS score of 9.8 and requiring no authentication or user interaction, this represents a severe risk to organizations using these complaint and case management systems.