VA-26-008-01

Vulnerability from csaf_cisa - Published: 2026-01-08 16:36 - Updated: 2026-01-08 16:36
Summary
OPEXUS eCASE

Notes

Legal Notice
All information products included in [https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white](https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white) are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see [https://us-cert.cisa.gov/tlp/](https://us-cert.cisa.gov/tlp/).
Countries and Areas Deployed
Worldwide
Critical Infrastructure Sectors
Information Technology
Risk Evaluation
OPEXUS eCASE Audit contains multiple vulnerabilities. An authenticated attacker could bypass authorization or inject JavaScript that could be executed in the context of other users.
Recommended Practices
Update to eCase Audit v11.14.2.0 and eCase Platform v11.14.1.0.
Company Headquarters Location
United States
To clipboard 

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "All information products included in [https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white](https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white) are provided \\\"as is\\\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see [https://us-cert.cisa.gov/tlp/](https://us-cert.cisa.gov/tlp/).",
        "title": "Legal Notice"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries and Areas Deployed"
      },
      {
        "category": "other",
        "text": "Information Technology",
        "title": "Critical Infrastructure Sectors"
      },
      {
        "category": "summary",
        "text": "OPEXUS eCASE Audit contains multiple vulnerabilities. An authenticated attacker could bypass authorization or inject JavaScript that could be executed in the context of other users.",
        "title": "Risk Evaluation"
      },
      {
        "category": "general",
        "text": "Update to eCase Audit v11.14.2.0 and eCase Platform v11.14.1.0.",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "United States",
        "title": "Company Headquarters Location"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "https://www.cisa.gov/report",
      "issuing_authority": "CISA",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "Vulnerability Advisory VA-26-008-01 CSAF",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-008-01.json"
      }
    ],
    "title": "OPEXUS eCASE",
    "tracking": {
      "current_release_date": "2026-01-08T16:36:15Z",
      "generator": {
        "engine": {
          "name": "VINCE-NT",
          "version": "1.11.0"
        }
      },
      "id": "VA-26-008-01",
      "initial_release_date": "2026-01-08T16:36:15Z",
      "revision_history": [
        {
          "date": "2026-01-08T16:36:15Z",
          "number": "1.0.0",
          "summary": "Initial publication"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003e=11.4.0|\u003c11.14.1.0",
                "product": {
                  "name": "OPEXUS eCASE Audit \u003e=11.4.0|\u003c11.14.1.0",
                  "product_id": "CSAFPID-0001"
                }
              },
              {
                "category": "product_version",
                "name": "11.14.1.0",
                "product": {
                  "name": "OPEXUS eCASE Audit 11.14.1.0",
                  "product_id": "CSAFPID-0002"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003e=11.4.0|\u003c11.14.2.0",
                "product": {
                  "name": "OPEXUS eCASE Audit \u003e=11.4.0|\u003c11.14.2.0",
                  "product_id": "CSAFPID-0003"
                }
              },
              {
                "category": "product_version",
                "name": "11.14.2.0",
                "product": {
                  "name": "OPEXUS eCASE Audit 11.14.2.0",
                  "product_id": "CSAFPID-0004"
                }
              }
            ],
            "category": "product_name",
            "name": "eCASE Audit"
          }
        ],
        "category": "vendor",
        "name": "OPEXUS"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Aaron M. Ramirez",
            " Son Nguyen",
            " Wesley Cuffee"
          ],
          "organization": "United States Department of Justice"
        }
      ],
      "cve": "CVE-2026-22230",
      "cwe": {
        "id": "CWE-863",
        "name": "Incorrect Authorization"
      },
      "notes": [
        {
          "category": "summary",
          "text": "OPEXUS eCASE Audit allows an authenticated attacker to modify client-side JavaScript or craft HTTP requests to access functions or buttons that have been disabled or blocked by an administrator. Fixed in eCASE Platform 11.14.1.0.",
          "title": "Description"
        },
        {
          "category": "details",
          "text": "SSVCv2/E:P/A:N/T:P/2026-01-06T22:30:03Z/",
          "title": "SSVC"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-0002"
        ],
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "docs.opexustech.com",
          "url": "https://docs.opexustech.com/docs/eCase/11.14.X/eCASE_Release_Notes_11.14.1.0.pdf"
        },
        {
          "category": "external",
          "summary": "www.cve.org",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-22230"
        },
        {
          "category": "external",
          "summary": "raw.githubusercontent.com",
          "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-008-01.json"
        }
      ],
      "release_date": "2026-01-08T00:00:00Z",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-11-01T00:00:00Z",
          "details": "Fixed in version 11.14.1.0.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://docs.opexustech.com/docs/eCase/11.14.X/eCASE_Release_Notes_11.14.1.0.pdf"
        },
        {
          "category": "vendor_fix",
          "date": "2025-11-01T00:00:00Z",
          "details": "Fixed in version 11.14.1.0.",
          "product_ids": [
            "CSAFPID-0002"
          ],
          "url": "https://docs.opexustech.com/docs/eCase/11.14.X/eCASE_Release_Notes_11.14.1.0.pdf"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ],
      "title": "OPEXUS eCASE Audit incorrect access control"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Aaron M. Ramirez",
            " Son Nguyen",
            " Wesley Cuffee"
          ],
          "organization": "United States Department of Justice"
        }
      ],
      "cve": "CVE-2026-22231",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment within the Document Check Out functionality. The JavaScript is executed whenever another user views the Action History Log. Fixed in OPEXUS eCASE Platform 11.14.1.0.",
          "title": "Description"
        },
        {
          "category": "details",
          "text": "SSVCv2/E:N/A:N/T:P/2025-12-11T18:30:59Z/",
          "title": "SSVC"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-0002"
        ],
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "docs.opexustech.com",
          "url": "https://docs.opexustech.com/docs/eCase/11.14.X/eCASE_Release_Notes_11.14.1.0.pdf"
        },
        {
          "category": "external",
          "summary": "raw.githubusercontent.com",
          "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-008-01.json"
        },
        {
          "category": "external",
          "summary": "www.cve.org",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-22231"
        }
      ],
      "release_date": "2026-01-08T00:00:00Z",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-11-01T00:00:00Z",
          "details": "Fixed in version 11.14.1.0.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://docs.opexustech.com/docs/eCase/11.14.X/eCASE_Release_Notes_11.14.1.0.pdf"
        },
        {
          "category": "vendor_fix",
          "date": "2025-11-01T00:00:00Z",
          "details": "Fixed in version 11.14.1.0.",
          "product_ids": [
            "CSAFPID-0002"
          ],
          "url": "https://docs.opexustech.com/docs/eCase/11.14.X/eCASE_Release_Notes_11.14.1.0.pdf"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ],
      "title": "OPEXUS eCASE Audit Document Check Out stored XSS"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Aaron M. Ramirez",
            " Son Nguyen",
            " Wesley Cuffee"
          ],
          "organization": "United States Department of Justice"
        }
      ],
      "cve": "CVE-2026-22232",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript in the \"A or SIC Number\" field within the Project Setup functionality. The JavaScript is executed whenever another user views the project. Fixed in OPEXUS eCASE Audit 11.14.2.0.",
          "title": "Description"
        },
        {
          "category": "details",
          "text": "SSVCv2/E:N/A:N/T:P/2025-12-11T18:27:56Z/",
          "title": "SSVC"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-0004"
        ],
        "known_affected": [
          "CSAFPID-0003"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "docs.opexustech.com",
          "url": "https://docs.opexustech.com/docs/oig/audit/eCase_Audit_Release_Notes_11.14.2.0.pdf"
        },
        {
          "category": "external",
          "summary": "www.cve.org",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-22232"
        },
        {
          "category": "external",
          "summary": "raw.githubusercontent.com",
          "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-008-01.json"
        }
      ],
      "release_date": "2026-01-08T00:00:00Z",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-11-29T00:00:00Z",
          "details": "Fixed in 11.14.2.0.",
          "product_ids": [
            "CSAFPID-0003"
          ],
          "url": "https://docs.opexustech.com/docs/oig/audit/eCase_Audit_Release_Notes_11.14.2.0.pdf"
        },
        {
          "category": "vendor_fix",
          "date": "2025-11-29T00:00:00Z",
          "details": "Fixed in 11.14.2.0.",
          "product_ids": [
            "CSAFPID-0004"
          ],
          "url": "https://docs.opexustech.com/docs/oig/audit/eCase_Audit_Release_Notes_11.14.2.0.pdf"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0003"
          ]
        }
      ],
      "title": "OPEXUS eCASE Audit Project Setup stored XSS"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Aaron M. Ramirez",
            " Son Nguyen",
            " Wesley Cuffee"
          ],
          "organization": "United States Department of Justice"
        }
      ],
      "cve": "CVE-2026-22233",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment in the \"Estimated Staff Hours\" field. The JavaScript is executed whenever another user visits the Project Cost tab. Fixed in OPEXUS eCASE Audit 11.14.2.0.",
          "title": "Description"
        },
        {
          "category": "details",
          "text": "SSVCv2/E:N/A:N/T:P/2025-12-11T18:28:18Z/",
          "title": "SSVC"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-0004"
        ],
        "known_affected": [
          "CSAFPID-0003"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "docs.opexustech.com",
          "url": "https://docs.opexustech.com/docs/oig/audit/eCase_Audit_Release_Notes_11.14.2.0.pdf"
        },
        {
          "category": "external",
          "summary": "raw.githubusercontent.com",
          "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-008-01.json"
        },
        {
          "category": "external",
          "summary": "www.cve.org",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-22233"
        }
      ],
      "release_date": "2026-01-08T00:00:00Z",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-11-29T00:00:00Z",
          "details": "Fixed in 11.14.2.0.",
          "product_ids": [
            "CSAFPID-0003"
          ],
          "url": "https://docs.opexustech.com/docs/oig/audit/eCase_Audit_Release_Notes_11.14.2.0.pdf"
        },
        {
          "category": "vendor_fix",
          "date": "2025-11-29T00:00:00Z",
          "details": "Fixed in 11.14.2.0.",
          "product_ids": [
            "CSAFPID-0004"
          ],
          "url": "https://docs.opexustech.com/docs/oig/audit/eCase_Audit_Release_Notes_11.14.2.0.pdf"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0003"
          ]
        }
      ],
      "title": "OPEXUS eCASE Audit Project Cost stored XSS"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.