CVE-2026-22234
OPEXUS · eCasePortal
OPEXUS eCasePortal versions prior to 9.0.45.0 contain an insecure direct object reference vulnerability in the 'Attachments.aspx' endpoint, allowing unauthorized file access and manipulation.
Executive summary
An unauthenticated file access vulnerability in OPEXUS eCasePortal allows attackers to download, delete, or upload files, posing a severe risk to data integrity.
Vulnerability
The 'Attachments.aspx' endpoint lacks proper authorization controls, allowing an unauthenticated attacker to iterate through 'formid' values. This permits unauthorized access to sensitive user-uploaded files and modification of the file repository.
Business impact
This vulnerability allows for the unauthorized disclosure of sensitive documents and potential data destruction, which could lead to severe reputational damage and regulatory non-compliance. With a CVSS score of 9.8, the risk of total data breach is significant.
Remediation
Immediate Action: Upgrade OPEXUS eCasePortal to version 9.0.45.0 or later to patch the authorization flaw.
Proactive Monitoring: Audit access logs for the 'Attachments.aspx' endpoint to identify patterns of sequential 'formid' requests indicative of enumeration attacks.
Compensating Controls: Restrict access to the eCasePortal application via network-level controls or a VPN to limit exposure to untrusted entities.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Immediate patching is required to prevent unauthorized access to sensitive attachments. Administrators should verify the integrity of the file system following any potential unauthorized access attempts.