CVE-2017-14525

Name of the Vulnerable Software and Affected Versions OpenText Documentum Webtop version 6.8.0160.0073

Description The issue allows remote attackers to redirect users to arbitrary web sites, potentially leading to phishing attacks. This can be achieved via a URL in the startat parameter to "xda/help/en/default.htm" or by using a slash encoded horizontal tab slash (/%09/) followed by a domain in the redirectUrl parameter to "xda/component/virtuallinkconnect".

Recommendations For OpenText Documentum Webtop version 6.8.0160.0073, consider restricting access to the startat and redirectUrl parameters in the affected API endpoints until a patch is available. As a temporary workaround, avoid using the startat parameter in the "xda/help/en/default.htm" endpoint and restrict the redirectUrl parameter in the "xda/component/virtuallinkconnect" endpoint to minimize the risk of exploitation.