OPEXUS eComplaint and eCASE Insecure Password Reset Vulnerability

Vulnerability

A vulnerability exists in OPEXUS eComplaint and eCASE versions prior to 10.1.0.0, where the secret verification code is included in the HTTP response during password reset requests via 'ForcePasswordReset.aspx'. This allows an attacker with knowledge of a user's email address to reset the user's password and security questions, bypassing the existing security questions which are not prompted during the process.

Impact

Exploitation of this vulnerability allows for unauthorized password resets and security question changes, potentially leading to account takeover.

Added: Mar 19, 2026, 4:21 PM

Updated: Mar 19, 2026, 4:21 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

6.2

remediation

0.0

relevance

4.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

6.2

remediation

0.0

relevance

4.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OPEXUS eComplaint and eCASE Insecure Password Reset Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating