CVE-2026-32865

OPEXUS eComplaint and eCASE before version 10.1.0.0 include the secret verification code in the HTTP response when requesting a password reset via 'ForcePasswordReset.aspx'. An attacker who knows an existing user's email address can reset the user's password and security questions. Existing security questions are not asked during the process.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json	Broken Link
https://www.cve.org/CVERecord?id=CVE-2026-32865	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:opexustech:ecase_ecomplaint:*:*:*:*:*:*:*:*

History

30 Mar 2026, 13:12

Type	Values Removed	Values Added
CPE		cpe:2.3:a:opexustech:ecase_ecomplaint::::::::
First Time		Opexustech ecase Ecomplaint Opexustech
Summary		(es) OPEXUS eComplaint y eCASE antes de la versión 10.1.0.0 incluyen el código de verificación secreto en la respuesta HTTP al solicitar un restablecimiento de contraseña a través de 'ForcePasswordReset.aspx'. Un atacante que conoce la dirección de correo electrónico de un usuario existente puede restablecer la contraseña y las preguntas de seguridad del usuario. Las preguntas de seguridad existentes no se solicitan durante el proceso.
References	~~() https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json -~~	() https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json - Broken Link
References	~~() https://www.cve.org/CVERecord?id=CVE-2026-32865 -~~	() https://www.cve.org/CVERecord?id=CVE-2026-32865 - Third Party Advisory

19 Mar 2026, 16:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-19 16:16

Updated : 2026-03-30 13:12

NVD link : CVE-2026-32865

Mitre link : CVE-2026-32865

CVE.ORG link : CVE-2026-32865

JSON object : View

Products Affected

opexustech

ecase_ecomplaint

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-640

Weak Password Recovery Mechanism for Forgotten Password

{"id": "CVE-2026-32865", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-19T16:16:03.260", "references": [{"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json", "tags": ["Broken Link"], "source": "9119a7d8-5eab-497f-8521-727c672e3725"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-32865", "tags": ["Third Party Advisory"], "source": "9119a7d8-5eab-497f-8521-727c672e3725"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-640"}]}], "descriptions": [{"lang": "en", "value": "OPEXUS eComplaint and eCASE before version 10.1.0.0 include the secret verification code in the HTTP response when requesting a password reset via 'ForcePasswordReset.aspx'. An attacker who knows an existing user's email address can reset the user's password and security questions. Existing security questions are not asked during the process."}, {"lang": "es", "value": "OPEXUS eComplaint y eCASE antes de la versi\u00f3n 10.1.0.0 incluyen el c\u00f3digo de verificaci\u00f3n secreto en la respuesta HTTP al solicitar un restablecimiento de contrase\u00f1a a trav\u00e9s de 'ForcePasswordReset.aspx'. Un atacante que conoce la direcci\u00f3n de correo electr\u00f3nico de un usuario existente puede restablecer la contrase\u00f1a y las preguntas de seguridad del usuario. Las preguntas de seguridad existentes no se solicitan durante el proceso."}], "lastModified": "2026-03-30T13:12:06.900", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:opexustech:ecase_ecomplaint:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "00DBEB81-3517-4AB8-9437-400D59729656", "versionEndExcluding": "10.1.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725"}