CVE-2017-14524

Name of the Vulnerable Software and Affected Versions OpenText Documentum Administrator version 7.2.0180.0055

Description The issue allows remote attackers to redirect users to arbitrary web sites, potentially leading to phishing attacks. This can be achieved via a URL in the startat parameter to "xda/help/en/default.htm" or by using a slash encoded horizontal tab slash / %09/ followed by a domain in the redirectUrl parameter to "xda/component/virtuallinkconnect".

Recommendations For OpenText Documentum Administrator version 7.2.0180.0055, consider restricting access to the startat and redirectUrl parameters to minimize the risk of exploitation. As a temporary workaround, avoid using the startat parameter in the "xda/help/en/default.htm" endpoint and restrict the redirectUrl parameter in the "xda/component/virtuallinkconnect" endpoint to trusted domains until a patch is available.