A critical information disclosure vulnerability in OPEXUS eComplaint and eCASE allows unauthenticated attackers to hijack user accounts by intercepting password reset verification codes.

The application incorrectly includes the secret password reset verification code within the HTTP response when the ForcePasswordReset.aspx page is requested. An unauthenticated attacker who knows a target's email address can trigger a reset and retrieve the code from the response to gain full account access.

The CVSS score of 9.8 indicates a critical risk to organizational data and user privacy. Successful exploitation allows for complete account takeover, enabling attackers to access sensitive complaint data or case files. Furthermore, because the attacker can reset security questions, the original user may be permanently locked out of their account, leading to significant operational disruption and loss of data integrity.

Immediate Action: Upgrade OPEXUS eComplaint and eCASE to version 10.1.0.0 or later to ensure verification codes are no longer exposed in responses.

Proactive Monitoring: Audit application logs for an unusual volume of password reset requests originating from a single IP address or targeting multiple users.

Compensating Controls: Implement rate limiting on the password reset endpoint and ensure that all web traffic is inspected for sensitive tokens being leaked in outbound HTTP bodies.

Public Exploit Available: No

Organizations using OPEXUS eComplaint or eCASE must apply the version 10.1.0.0 update immediately. Because this flaw allows for unauthenticated account takeover, it poses a direct threat to the confidentiality of sensitive case management data.