Filtered by vendor Opexus
Subscriptions
Total
17 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-32867 | 1 Opexus | 1 Ecomplaint | 2026-03-20 | 5.4 Medium |
| OPEXUS eComplaint before version 10.1.0.0 allows an unauthenticated attacker to obtain or guess an existing case number and upload arbitrary files via 'Portal/EEOC/DocumentUploadPub.aspx'. Users would see these unexpected files in cases. Uploading a large number of files could consume storage. | ||||
| CVE-2026-32868 | 1 Opexus | 2 Ecase, Ecomplaint | 2026-03-20 | 5.5 Medium |
| OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in the 'My Information' screen. An authenticated attacker can inject parts of an XSS payload in the first and last name fields. The payload is executed when the full name is rendered. The attacker can run script in the context of a victim's session. | ||||
| CVE-2026-32869 | 1 Opexus | 2 Ecase, Ecomplaint | 2026-03-20 | 5.5 Medium |
| OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of the "Name of Organization" field when filling out case information. An authenticated attacker can inject an XSS payload which is executed in the context of a victim's session when they visit the case information page. | ||||
| CVE-2026-32865 | 1 Opexus | 2 Ecase, Ecomplaint | 2026-03-20 | 9.8 Critical |
| OPEXUS eComplaint and eCASE before version 10.1.0.0 include the secret verification code in the HTTP response when requesting a password reset via 'ForcePasswordReset.aspx'. An attacker who knows an existing user's email address can reset the user's password and security questions. Existing security questions are not asked during the process. | ||||
| CVE-2026-32866 | 1 Opexus | 1 Ecase | 2026-03-20 | 5.5 Medium |
| OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in a user profile. An authenticated attacker can inject parts of an XSS payload in their first and last name fields. The payload is executed when the user's full name is rendered. The attacker can run script in the context of a victim's session. | ||||
| CVE-2026-22234 | 2 Opexus, Opexustech | 2 Ecase Portal, Ecase Portal | 2026-03-10 | 9.8 Critical |
| OPEXUS eCasePortal before version 9.0.45.0 allows an unauthenticated attacker to navigate to the 'Attachments.aspx' endpoint, iterate through predictable values of 'formid', and download or delete all user-uploaded files, or upload new files. | ||||
| CVE-2025-58462 | 2 Opexus, Opexustech | 2 Foiaxpress Pal, Foiaxpress Public Access Link | 2026-02-26 | 9.8 Critical |
| OPEXUS FOIAXpress Public Access Link (PAL) before version 11.13.1.0 allows SQL injection via SearchPopularDocs.aspx. A remote, unauthenticated attacker could read, write, or delete any content in the underlying database. | ||||
| CVE-2025-62586 | 2 Opexus, Opexustech | 2 Foiaxpress, Foiaxpress | 2026-02-26 | 9.8 Critical |
| OPEXUS FOIAXpress allows a remote, unauthenticated attacker to reset the administrator password. Fixed in FOIAXpress version 11.13.2.0. | ||||
| CVE-2026-22235 | 2 Opexus, Opexustech | 2 Ecomplaint, Ecase Ecomplaint | 2026-02-18 | 7.5 High |
| OPEXUS eComplaint before version 9.0.45.0 allows an attacker to visit the the 'DocumentOpen.aspx' endpoint, iterate through predictable values of 'chargeNumber', and download any uploaded files. | ||||
| CVE-2026-22232 | 2 Opexus, Opexustech | 2 Ecase Audit, Ecase Audit | 2026-02-05 | 5.5 Medium |
| OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript in the "A or SIC Number" field within the Project Setup functionality. The JavaScript is executed whenever another user views the project. Fixed in OPEXUS eCASE Audit 11.14.2.0. | ||||
| CVE-2026-22231 | 2 Opexus, Opexustech | 2 Ecase Audit, Ecase Audit | 2026-02-05 | 5.5 Medium |
| OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment within the Document Check Out functionality. The JavaScript is executed whenever another user views the Action History Log. Fixed in OPEXUS eCASE Platform 11.14.1.0. | ||||
| CVE-2026-22233 | 2 Opexus, Opexustech | 2 Ecase Audit, Ecase Audit | 2026-02-05 | 5.5 Medium |
| OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment in the "Estimated Staff Hours" field. The JavaScript is executed whenever another user visits the Project Cost tab. Fixed in OPEXUS eCASE Audit 11.14.2.0. | ||||
| CVE-2026-22230 | 2 Opexus, Opexustech | 2 Ecase Audit, Ecase Audit | 2026-01-26 | 7.6 High |
| OPEXUS eCASE Audit allows an authenticated attacker to modify client-side JavaScript or craft HTTP requests to access functions or buttons that have been disabled or blocked by an administrator. Fixed in eCASE Platform 11.14.1.0. | ||||
| CVE-2025-61999 | 2 Opexus, Opexustech | 2 Foiaxpress, Foiaxpress | 2025-10-22 | 4.3 Medium |
| OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to upload JavaScript or other content embedded in an SVG image used as a logo. Injected content is executed in the context of other users when they view affected pages. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data. | ||||
| CVE-2025-61997 | 2 Opexus, Opexustech | 2 Foiaxpress, Foiaxpress | 2025-10-22 | 4.3 Medium |
| OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content within the Annual Report Enterprise Banner image upload field. Injected content is executed in the context of other users when they generate an Annual Report. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data. | ||||
| CVE-2025-61996 | 2 Opexus, Opexustech | 2 Foiaxpress, Foiaxpress | 2025-10-22 | 4.3 Medium |
| OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content within the Annual Report Template. Injected content is executed in the context of other users when they generate an Annual Report. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data. | ||||
| CVE-2025-61998 | 2 Opexus, Opexustech | 2 Foiaxpress, Foiaxpress | 2025-10-22 | 4.3 Medium |
| OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content as a URL within the Technical Support Hyperlink Manager. Injected content is executed in the context of other users when they click the malicious link. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data. | ||||
Page 1 of 1.