CVE-2025-13672
📋 TL;DR
This is a reflected cross-site scripting (XSS) vulnerability in OpenText Web Site Management Server that allows attackers to inject malicious JavaScript via URL parameters. The malicious code executes in victims' browsers when they view specially crafted preview pages. This affects users of Web Site Management Server versions 16.7.0 and 16.7.1.
💻 Affected Systems
- OpenText Web Site Management Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on client systems.
Likely Case
Session hijacking, credential theft, or defacement of preview pages through client-side script execution.
If Mitigated
Limited impact if input validation and output encoding are properly implemented, though some functionality may be degraded.
🎯 Exploit Status
Reflected XSS typically requires user interaction (clicking malicious link) but is straightforward to exploit once discovered.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.7.2 or later
Vendor Advisory: https://support.opentext.com/csm/en?id=ot_kb_unauthenticated&sysparm_article=KB0854847
Restart Required: Yes
Instructions:
1. Download and install Web Site Management Server version 16.7.2 or later from OpenText support portal. 2. Apply the update following OpenText's installation documentation. 3. Restart the Web Site Management Server service.
🔧 Temporary Workarounds
Input Validation Filter
allImplement web application firewall (WAF) rules to filter malicious script patterns in URL parameters
Content Security Policy
allImplement strict Content-Security-Policy headers to restrict script execution sources
🧯 If You Can't Patch
- Disable or restrict access to the preview functionality if not essential
- Implement network segmentation to limit exposure of vulnerable systems
🔍 How to Verify
Check if Vulnerable:
Test by injecting basic XSS payloads into URL parameters used by the preview functionality and checking if they execute in browserCheck Version:
Check server version in administration console or via system information tools specific to OpenText Web Site Management ServerVerify Fix Applied:
After patching, repeat XSS testing to confirm payloads are properly sanitized and do not execute📡 Detection & Monitoring
Log Indicators:
- Unusual URL patterns with script tags or JavaScript code in access logs
- Multiple failed preview requests with suspicious parameters
Network Indicators:
- HTTP requests containing script tags or JavaScript in URL parameters
- Unusual redirects from preview pages
SIEM Query:
source="webserver_logs" AND (url="*<script*" OR url="*javascript:*" OR url="*onerror=*" OR url="*onload=*")