CVE-2026-32865
Information Disclosure in OPEXUS eComplaint Password Reset Function
Publication date: 2026-03-19
Last updated on: 2026-03-30
Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opexustech | ecase_ecomplaint | to 10.1.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-640 | The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OPEXUS eComplaint and eCASE versions before 10.1.0.0. When a password reset is requested via the 'ForcePasswordReset.aspx' page, the secret verification code is included in the HTTP response. An attacker who knows a user's email address can exploit this to reset the user's password and security questions without needing to answer the existing security questions.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to take over a user's account by resetting their password and security questions without proper verification. This can lead to unauthorized access to sensitive information and potentially full control over the affected user's account.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know