Search criteria
6 vulnerabilities found for Web Site Management Server by OpenText™
CVE-2025-9208 (GCVE-0-2025-9208)
Vulnerability from nvd – Published: 2026-02-19 22:37 – Updated: 2026-02-24 14:34
VLAI?
Title
Stored-XSS vulnerability discovered in OpenText WSM Management Server.
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ Web Site Management Server allows Stored XSS. The vulnerability could execute malicious scripts on the client side when the download query parameter is removed from the file URL, allowing attackers to compromise user sessions and data.
This issue affects Web Site Management Server: 16.7.X, 16.8, 16.8.1.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OpenText™ | Web Site Management Server |
Affected:
16.7.x
Affected: 16.8 Affected: 16.8.1 |
Credits
Murat Altindis
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9208",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-23T18:18:37.430755Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T18:18:43.604Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-02-24T14:34:34.043Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://github.com/MarioTesoro/vulnerability-research/blob/main/CVE-2025-9208/README.md"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Web Site Management Server",
"vendor": "OpenText\u2122",
"versions": [
{
"status": "affected",
"version": "16.7.x"
},
{
"status": "affected",
"version": "16.8"
},
{
"status": "affected",
"version": "16.8.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Murat Altindis"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in OpenText\u2122 Web Site Management Server allows Stored XSS. T\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ehe vulnerability could execute malicious scripts on the client side when the download query parameter is removed from the file URL, allowing attackers to compromise user sessions and data.\u003c/span\u003e\n\n\u003cp\u003eThis issue affects Web Site Management Server: 16.7.X, 16.8, 16.8.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in OpenText\u2122 Web Site Management Server allows Stored XSS. The vulnerability could execute malicious scripts on the client side when the download query parameter is removed from the file URL, allowing attackers to compromise user sessions and data.\n\nThis issue affects Web Site Management Server: 16.7.X, 16.8, 16.8.1."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "RED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/S:P/AU:N/R:U/V:D/RE:H/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T22:37:19.208Z",
"orgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"shortName": "OpenText"
},
"references": [
{
"url": "https://support.opentext.com/csm/en?id=ot_kb_unauthenticated\u0026sysparm_article=KB0854844"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.opentext.com/csm/en?id=ot_kb_unauthenticated\u0026amp;sysparm_article=KB0854844\"\u003ehttps://support.opentext.com/csm/en?id=ot_kb_unauthenticated\u0026amp;sysparm_article=KB0854844\u003c/a\u003e\u003cbr\u003e"
}
],
"value": "https://support.opentext.com/csm/en?id=ot_kb_unauthenticated\u0026sysparm_article=KB0854844"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored-XSS vulnerability discovered in OpenText WSM Management Server.",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"assignerShortName": "OpenText",
"cveId": "CVE-2025-9208",
"datePublished": "2026-02-19T22:37:19.208Z",
"dateReserved": "2025-08-19T18:53:11.073Z",
"dateUpdated": "2026-02-24T14:34:34.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13672 (GCVE-0-2025-13672)
Vulnerability from nvd – Published: 2026-02-19 22:36 – Updated: 2026-02-24 14:42
VLAI?
Title
Reflected Cross-Site Scripting discovered in OpenText WSM Management Server.
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ Web Site Management Server allows Reflected XSS. The vulnerability could allow injecting malicious JavaScript inside URL parameters that was then rendered with the preview of the page, so that malicious scripts could be executed on the client side.
This issue affects Web Site Management Server: 16.7.0, 16.7.1.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OpenText™ | Web Site Management Server |
Affected:
16.7.0
Affected: 16.7.1 |
Credits
Mario Tesoro
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13672",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-23T18:14:57.003270Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T18:15:35.565Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-02-24T14:42:46.727Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://github.com/MarioTesoro/vulnerability-research/blob/main/CVE-2025-13672/README.md"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Web Site Management Server",
"vendor": "OpenText\u2122",
"versions": [
{
"status": "affected",
"version": "16.7.0"
},
{
"status": "affected",
"version": "16.7.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mario Tesoro"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in OpenText\u2122 Web Site Management Server allows Reflected XSS. The vulnerability could allow\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003einjecting malicious JavaScript inside URL parameters that was then rendered with the preview of the page, so that malicious scripts could be executed on the client side.\u003c/span\u003e\n\n\u003cp\u003eThis issue affects Web Site Management Server: 16.7.0, 16.7.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in OpenText\u2122 Web Site Management Server allows Reflected XSS. The vulnerability could allow\u00a0injecting malicious JavaScript inside URL parameters that was then rendered with the preview of the page, so that malicious scripts could be executed on the client side.\n\nThis issue affects Web Site Management Server: 16.7.0, 16.7.1."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "RED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N/S:P/AU:N/R:U/V:D/RE:H/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T22:36:33.467Z",
"orgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"shortName": "OpenText"
},
"references": [
{
"url": "https://support.opentext.com/csm/en?id=ot_kb_unauthenticated\u0026sysparm_article=KB0854847"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.opentext.com/csm/en?id=ot_kb_unauthenticated\u0026amp;sysparm_article=KB0854847\"\u003ehttps://support.opentext.com/csm/en?id=ot_kb_unauthenticated\u0026amp;sysparm_article=KB0854847\u003c/a\u003e\u003cbr\u003e"
}
],
"value": "https://support.opentext.com/csm/en?id=ot_kb_unauthenticated\u0026sysparm_article=KB0854847"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Reflected Cross-Site Scripting discovered in OpenText WSM Management Server.",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"assignerShortName": "OpenText",
"cveId": "CVE-2025-13672",
"datePublished": "2026-02-19T22:36:33.467Z",
"dateReserved": "2025-11-25T17:03:44.542Z",
"dateUpdated": "2026-02-24T14:42:46.727Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13671 (GCVE-0-2025-13671)
Vulnerability from nvd – Published: 2026-02-19 22:36 – Updated: 2026-02-24 14:39
VLAI?
Title
Cross Site request forgery vulnerability discovered in OpenText WSM Management Server.
Summary
Cross-Site Request Forgery (CSRF) vulnerability in OpenText™ Web Site Management Server allows Cross Site Request Forgery. The vulnerability could make a user, with active session inside the product, click on a page that contains this malicious HTML triggering to perform changes unconsciously.
This issue affects Web Site Management Server: 16.7.0, 16.7.1.
Severity ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OpenText™ | Web Site Management Server |
Affected:
16.7.0
Affected: 16.7.1 |
Credits
Mario Tesoro
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13671",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-23T18:16:51.402681Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T18:17:02.341Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-02-24T14:39:58.281Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://github.com/MarioTesoro/vulnerability-research/blob/main/CVE-2025-13671/README.md"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Web Site Management Server",
"vendor": "OpenText\u2122",
"versions": [
{
"status": "affected",
"version": "16.7.0"
},
{
"status": "affected",
"version": "16.7.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mario Tesoro"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in OpenText\u2122 Web Site Management Server allows Cross Site Request Forgery. The vulnerability could\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003emake a user, with active session inside the product, click on a page that contains this malicious HTML triggering to perform changes unconsciously.\u003c/span\u003e\n\n\u003cp\u003eThis issue affects Web Site Management Server: 16.7.0, 16.7.1.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in OpenText\u2122 Web Site Management Server allows Cross Site Request Forgery. The vulnerability could\u00a0make a user, with active session inside the product, click on a page that contains this malicious HTML triggering to perform changes unconsciously.\n\nThis issue affects Web Site Management Server: 16.7.0, 16.7.1."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "RED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:L/SI:N/SA:N/S:P/AU:N/R:U/V:D/RE:H/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T22:36:49.083Z",
"orgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"shortName": "OpenText"
},
"references": [
{
"url": "https://support.opentext.com/csm/en?id=ot_kb_unauthenticated\u0026sysparm_article=KB0854846"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.opentext.com/csm/en?id=ot_kb_unauthenticated\u0026amp;sysparm_article=KB0854846\"\u003ehttps://support.opentext.com/csm/en?id=ot_kb_unauthenticated\u0026amp;sysparm_article=KB0854846\u003c/a\u003e\u003cbr\u003e"
}
],
"value": "https://support.opentext.com/csm/en?id=ot_kb_unauthenticated\u0026sysparm_article=KB0854846"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cross Site request forgery vulnerability discovered in OpenText WSM Management Server.",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"assignerShortName": "OpenText",
"cveId": "CVE-2025-13671",
"datePublished": "2026-02-19T22:36:49.083Z",
"dateReserved": "2025-11-25T17:03:33.972Z",
"dateUpdated": "2026-02-24T14:39:58.281Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-9208 (GCVE-0-2025-9208)
Vulnerability from cvelistv5 – Published: 2026-02-19 22:37 – Updated: 2026-02-24 14:34
VLAI?
Title
Stored-XSS vulnerability discovered in OpenText WSM Management Server.
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ Web Site Management Server allows Stored XSS. The vulnerability could execute malicious scripts on the client side when the download query parameter is removed from the file URL, allowing attackers to compromise user sessions and data.
This issue affects Web Site Management Server: 16.7.X, 16.8, 16.8.1.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OpenText™ | Web Site Management Server |
Affected:
16.7.x
Affected: 16.8 Affected: 16.8.1 |
Credits
Murat Altindis
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9208",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-23T18:18:37.430755Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T18:18:43.604Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-02-24T14:34:34.043Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://github.com/MarioTesoro/vulnerability-research/blob/main/CVE-2025-9208/README.md"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Web Site Management Server",
"vendor": "OpenText\u2122",
"versions": [
{
"status": "affected",
"version": "16.7.x"
},
{
"status": "affected",
"version": "16.8"
},
{
"status": "affected",
"version": "16.8.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Murat Altindis"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in OpenText\u2122 Web Site Management Server allows Stored XSS. T\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ehe vulnerability could execute malicious scripts on the client side when the download query parameter is removed from the file URL, allowing attackers to compromise user sessions and data.\u003c/span\u003e\n\n\u003cp\u003eThis issue affects Web Site Management Server: 16.7.X, 16.8, 16.8.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in OpenText\u2122 Web Site Management Server allows Stored XSS. The vulnerability could execute malicious scripts on the client side when the download query parameter is removed from the file URL, allowing attackers to compromise user sessions and data.\n\nThis issue affects Web Site Management Server: 16.7.X, 16.8, 16.8.1."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "RED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/S:P/AU:N/R:U/V:D/RE:H/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T22:37:19.208Z",
"orgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"shortName": "OpenText"
},
"references": [
{
"url": "https://support.opentext.com/csm/en?id=ot_kb_unauthenticated\u0026sysparm_article=KB0854844"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.opentext.com/csm/en?id=ot_kb_unauthenticated\u0026amp;sysparm_article=KB0854844\"\u003ehttps://support.opentext.com/csm/en?id=ot_kb_unauthenticated\u0026amp;sysparm_article=KB0854844\u003c/a\u003e\u003cbr\u003e"
}
],
"value": "https://support.opentext.com/csm/en?id=ot_kb_unauthenticated\u0026sysparm_article=KB0854844"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored-XSS vulnerability discovered in OpenText WSM Management Server.",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"assignerShortName": "OpenText",
"cveId": "CVE-2025-9208",
"datePublished": "2026-02-19T22:37:19.208Z",
"dateReserved": "2025-08-19T18:53:11.073Z",
"dateUpdated": "2026-02-24T14:34:34.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13671 (GCVE-0-2025-13671)
Vulnerability from cvelistv5 – Published: 2026-02-19 22:36 – Updated: 2026-02-24 14:39
VLAI?
Title
Cross Site request forgery vulnerability discovered in OpenText WSM Management Server.
Summary
Cross-Site Request Forgery (CSRF) vulnerability in OpenText™ Web Site Management Server allows Cross Site Request Forgery. The vulnerability could make a user, with active session inside the product, click on a page that contains this malicious HTML triggering to perform changes unconsciously.
This issue affects Web Site Management Server: 16.7.0, 16.7.1.
Severity ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OpenText™ | Web Site Management Server |
Affected:
16.7.0
Affected: 16.7.1 |
Credits
Mario Tesoro
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13671",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-23T18:16:51.402681Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T18:17:02.341Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-02-24T14:39:58.281Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://github.com/MarioTesoro/vulnerability-research/blob/main/CVE-2025-13671/README.md"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Web Site Management Server",
"vendor": "OpenText\u2122",
"versions": [
{
"status": "affected",
"version": "16.7.0"
},
{
"status": "affected",
"version": "16.7.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mario Tesoro"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in OpenText\u2122 Web Site Management Server allows Cross Site Request Forgery. The vulnerability could\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003emake a user, with active session inside the product, click on a page that contains this malicious HTML triggering to perform changes unconsciously.\u003c/span\u003e\n\n\u003cp\u003eThis issue affects Web Site Management Server: 16.7.0, 16.7.1.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in OpenText\u2122 Web Site Management Server allows Cross Site Request Forgery. The vulnerability could\u00a0make a user, with active session inside the product, click on a page that contains this malicious HTML triggering to perform changes unconsciously.\n\nThis issue affects Web Site Management Server: 16.7.0, 16.7.1."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "RED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:L/SI:N/SA:N/S:P/AU:N/R:U/V:D/RE:H/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T22:36:49.083Z",
"orgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"shortName": "OpenText"
},
"references": [
{
"url": "https://support.opentext.com/csm/en?id=ot_kb_unauthenticated\u0026sysparm_article=KB0854846"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.opentext.com/csm/en?id=ot_kb_unauthenticated\u0026amp;sysparm_article=KB0854846\"\u003ehttps://support.opentext.com/csm/en?id=ot_kb_unauthenticated\u0026amp;sysparm_article=KB0854846\u003c/a\u003e\u003cbr\u003e"
}
],
"value": "https://support.opentext.com/csm/en?id=ot_kb_unauthenticated\u0026sysparm_article=KB0854846"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cross Site request forgery vulnerability discovered in OpenText WSM Management Server.",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"assignerShortName": "OpenText",
"cveId": "CVE-2025-13671",
"datePublished": "2026-02-19T22:36:49.083Z",
"dateReserved": "2025-11-25T17:03:33.972Z",
"dateUpdated": "2026-02-24T14:39:58.281Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13672 (GCVE-0-2025-13672)
Vulnerability from cvelistv5 – Published: 2026-02-19 22:36 – Updated: 2026-02-24 14:42
VLAI?
Title
Reflected Cross-Site Scripting discovered in OpenText WSM Management Server.
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ Web Site Management Server allows Reflected XSS. The vulnerability could allow injecting malicious JavaScript inside URL parameters that was then rendered with the preview of the page, so that malicious scripts could be executed on the client side.
This issue affects Web Site Management Server: 16.7.0, 16.7.1.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OpenText™ | Web Site Management Server |
Affected:
16.7.0
Affected: 16.7.1 |
Credits
Mario Tesoro
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13672",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-23T18:14:57.003270Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T18:15:35.565Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-02-24T14:42:46.727Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://github.com/MarioTesoro/vulnerability-research/blob/main/CVE-2025-13672/README.md"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Web Site Management Server",
"vendor": "OpenText\u2122",
"versions": [
{
"status": "affected",
"version": "16.7.0"
},
{
"status": "affected",
"version": "16.7.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mario Tesoro"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in OpenText\u2122 Web Site Management Server allows Reflected XSS. The vulnerability could allow\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003einjecting malicious JavaScript inside URL parameters that was then rendered with the preview of the page, so that malicious scripts could be executed on the client side.\u003c/span\u003e\n\n\u003cp\u003eThis issue affects Web Site Management Server: 16.7.0, 16.7.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in OpenText\u2122 Web Site Management Server allows Reflected XSS. The vulnerability could allow\u00a0injecting malicious JavaScript inside URL parameters that was then rendered with the preview of the page, so that malicious scripts could be executed on the client side.\n\nThis issue affects Web Site Management Server: 16.7.0, 16.7.1."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "RED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N/S:P/AU:N/R:U/V:D/RE:H/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T22:36:33.467Z",
"orgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"shortName": "OpenText"
},
"references": [
{
"url": "https://support.opentext.com/csm/en?id=ot_kb_unauthenticated\u0026sysparm_article=KB0854847"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.opentext.com/csm/en?id=ot_kb_unauthenticated\u0026amp;sysparm_article=KB0854847\"\u003ehttps://support.opentext.com/csm/en?id=ot_kb_unauthenticated\u0026amp;sysparm_article=KB0854847\u003c/a\u003e\u003cbr\u003e"
}
],
"value": "https://support.opentext.com/csm/en?id=ot_kb_unauthenticated\u0026sysparm_article=KB0854847"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Reflected Cross-Site Scripting discovered in OpenText WSM Management Server.",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"assignerShortName": "OpenText",
"cveId": "CVE-2025-13672",
"datePublished": "2026-02-19T22:36:33.467Z",
"dateReserved": "2025-11-25T17:03:44.542Z",
"dateUpdated": "2026-02-24T14:42:46.727Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}