Adam Rose

**Name of the Vulnerable Software and Affected Versions** OPEXUS eComplaint and eCASE versions prior to 10.1.0.0 **Description** The application includes the secret verification code in the HTTP response when a password reset is requested via the `ForcePasswordReset.aspx` endpoint. An attacker with knowledge of a user's email address can reset the user's password and bypass security questions, as they are not required during the process. The vulnerable parameter is not explicitly mentioned. **Recommendations** Versions prior to 10.1.0.0 should be updated to version 10.1.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** OPEXUS eComplaint and eCASE versions prior to 10.2.0.0 **Description** OPEXUS eComplaint and eCASE does not properly sanitize the `first name` and `last name` fields within a user profile. An authenticated attacker can inject parts of a cross-site scripting (XSS) payload into these fields. The injected payload is executed when a user’s full name is displayed. This allows the attacker to execute script in the context of a victim’s session. **Recommendations** Update OPEXUS eComplaint and eCASE to version 10.2.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** OPEXUS eComplaint versions prior to 10.1.0.0 **Description** An unauthenticated attacker can obtain or guess an existing case number and upload arbitrary files via the 'Portal/EEOC/DocumentUploadPub.aspx' endpoint. Uploading a large number of files could consume storage, and users would see these unexpected files in cases. The vulnerable parameter is the file uploaded through the specified endpoint. **Recommendations** Update OPEXUS eComplaint to version 10.1.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** OPEXUS eComplaint and eCASE versions prior to 10.2.0.0 **Description** OPEXUS eComplaint and eCASE does not properly sanitize input in the first and last name fields within the 'My Information' screen. An authenticated attacker can inject parts of a cross-site scripting (XSS) payload into these fields. This payload is then executed when a victim views the full name, allowing the attacker to run script within the context of the victim’s session. The vulnerable fields are the `first name` and `last name` fields. **Recommendations** Update OPEXUS eComplaint and eCASE to version 10.2.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** OPEXUS eComplaint and eCASE versions prior to 10.2.0.0 **Description** The software does not properly sanitize input for the "Name of Organization" field when creating case information. An authenticated attacker can inject a cross-site scripting (XSS) payload. This payload is executed when a victim views the case information page, potentially compromising their session. **Recommendations** Update to version 10.2.0.0 or later.