CVE-2017-14527

Name of the Vulnerable Software and Affected Versions OpenText Documentum Webtop versions 6.8.0160.0073

Description The issue is related to an XML external entity (XXE) vulnerability in the web interface of OpenText Documentum Webtop. This vulnerability can be exploited by a remote attacker to read arbitrary files, cause a denial of service, or obtain user hashes on Windows systems. The exploitation involves crafted XML structures, such as a crafted DTD, in requests to specific API endpoints like xda/com/documentum/ucf/server/transport/impl/GAIRConnector, or through the import or check-in of crafted XML files in a MediaProfile file.

Recommendations For OpenText Documentum Webtop version 6.8.0160.0073, consider disabling the GAIRConnector function until a patch is available to prevent exploitation through crafted XML structures. Restrict access to the MediaProfile file import and check-in features to minimize the risk of XXE attacks. Avoid using crafted DTDs in XML requests to prevent denial of service or arbitrary file reading. At the moment, there is no information about a newer version that contains a fix for this vulnerability.