United States Department Of Justice

**Name of the Vulnerable Software and Affected Versions** OPEXUS eCASE Audit versions prior to 11.14.1.0 **Description** An authenticated attacker can modify client-side JavaScript or craft HTTP requests to access functions or buttons that have been disabled or blocked by an administrator. The issue involves incorrect access control. **Recommendations** Update to eCASE Platform version 11.14.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** OPEXUS eCASE versions prior to 11.14.1.0 **Description** OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment within the Document Check Out functionality. This JavaScript is executed when another user views the Action History Log. The issue is a stored cross-site scripting (XSS) condition. The vulnerable functionality is related to the Document Check Out feature and the ability to add comments. **Recommendations** Update OPEXUS eCASE to version 11.14.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** OPEXUS eCASE Audit versions prior to 11.14.2.0 **Description** OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript in the “A or SIC Number” field within the Project Setup functionality. This JavaScript is executed when another user views the project. The affected field is used for project setup and allows for the storage of malicious code. The `A or SIC Number` field is the entry point for this issue. **Recommendations** Upgrade to OPEXUS eCASE Audit version 11.14.2.0 or later.