CVE-2026-22233

OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment in the "Estimated Staff Hours" field. The JavaScript is executed whenever another user visits the Project Cost tab. Fixed in OPEXUS eCASE Audit 11.14.2.0.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.1 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://docs.opexustech.com/docs/oig/audit/eCase_Audit_Release_Notes_11.14.2.0.pdf	Release Notes
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-008-01.json	Broken Link
https://www.cve.org/CVERecord?id=CVE-2026-22233	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:opexustech:ecase_audit:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-01-08 18:16

Updated : 2026-02-05 19:23

NVD link : CVE-2026-22233

Mitre link : CVE-2026-22233

CVE.ORG link : CVE-2026-22233

JSON object : View

Products Affected

opexustech

ecase_audit

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-22233", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}], "cvssMetricV40": [{"type": "Secondary", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-08T18:16:00.220", "references": [{"url": "https://docs.opexustech.com/docs/oig/audit/eCase_Audit_Release_Notes_11.14.2.0.pdf", "tags": ["Release Notes"], "source": "9119a7d8-5eab-497f-8521-727c672e3725"}, {"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-008-01.json", "tags": ["Broken Link"], "source": "9119a7d8-5eab-497f-8521-727c672e3725"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-22233", "tags": ["Third Party Advisory"], "source": "9119a7d8-5eab-497f-8521-727c672e3725"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment in the \"Estimated Staff Hours\" field. The JavaScript is executed whenever another user visits the Project Cost tab. Fixed in OPEXUS eCASE Audit 11.14.2.0."}, {"lang": "es", "value": "OPEXUS eCASE Audit permite a un atacante autenticado guardar JavaScript como un comentario en el campo 'Horas de personal estimadas'. El JavaScript se ejecuta cada vez que otro usuario visita la pesta\u00f1a 'Costo del proyecto'. Corregido en OPEXUS eCASE Audit 11.14.2.0."}], "lastModified": "2026-02-05T19:23:24.787", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:opexustech:ecase_audit:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5A4D2029-9D59-4E65-B116-7405E4D37F4F", "versionEndExcluding": "11.14.2.0", "versionStartIncluding": "11.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725"}