CVE-2026-32868

OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in the 'My Information' screen. An authenticated attacker can inject parts of an XSS payload in the first and last name fields. The payload is executed when the full name is rendered. The attacker can run script in the context of a victim's session.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.1 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json	Broken Link
https://www.cve.org/CVERecord?id=CVE-2026-32868	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:opexustech:ecase_ecomplaint:*:*:*:*:*:*:*:*

History

30 Mar 2026, 13:06

Type	Values Removed	Values Added
References	~~() https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json -~~	() https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json - Broken Link
References	~~() https://www.cve.org/CVERecord?id=CVE-2026-32868 -~~	() https://www.cve.org/CVERecord?id=CVE-2026-32868 - Third Party Advisory
CPE		cpe:2.3:a:opexustech:ecase_ecomplaint::::::::
Summary		(es) OPEXUS eComplaint y eCASE anteriores a 10.2.0.0 no sanean correctamente el contenido de los campos de nombre y apellido en la pantalla 'Mi Información'. Un atacante autenticado puede inyectar partes de una carga útil de XSS en los campos de nombre y apellido. La carga útil se ejecuta cuando se renderiza el nombre completo. El atacante puede ejecutar scripts en el contexto de la sesión de una víctima.
First Time		Opexustech ecase Ecomplaint Opexustech

19 Mar 2026, 16:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-19 16:16

Updated : 2026-03-30 13:06

NVD link : CVE-2026-32868

Mitre link : CVE-2026-32868

CVE.ORG link : CVE-2026-32868

JSON object : View

Products Affected

opexustech

ecase_ecomplaint

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-32868", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}], "cvssMetricV40": [{"type": "Secondary", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-19T16:16:03.833", "references": [{"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json", "tags": ["Broken Link"], "source": "9119a7d8-5eab-497f-8521-727c672e3725"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-32868", "tags": ["Third Party Advisory"], "source": "9119a7d8-5eab-497f-8521-727c672e3725"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in the 'My Information' screen. An authenticated attacker can inject parts of an XSS payload in the first and last name fields. The payload is executed when the full name is rendered. The attacker can run script in the context of a victim's session."}, {"lang": "es", "value": "OPEXUS eComplaint y eCASE anteriores a 10.2.0.0 no sanean correctamente el contenido de los campos de nombre y apellido en la pantalla 'Mi Informaci\u00f3n'. Un atacante autenticado puede inyectar partes de una carga \u00fatil de XSS en los campos de nombre y apellido. La carga \u00fatil se ejecuta cuando se renderiza el nombre completo. El atacante puede ejecutar scripts en el contexto de la sesi\u00f3n de una v\u00edctima."}], "lastModified": "2026-03-30T13:06:05.653", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:opexustech:ecase_ecomplaint:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6172CD20-C918-423A-BDBF-66968C003010", "versionEndExcluding": "10.2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725"}