Murat Altindis

**Name of the Vulnerable Software and Affected Versions** OpenText Web Site Management Server versions 16.7.X, 16.8, and 16.8.1 **Description** A flaw exists in OpenText Web Site Management Server that allows for Stored Cross-site Scripting (XSS). The issue occurs when the `download` query parameter is removed from a file URL, potentially enabling attackers to execute malicious scripts on the client side. Successful exploitation could lead to compromised user sessions and data. The API endpoint involved is a file URL where the `download` parameter is processed. The vulnerable parameter is `download`. **Recommendations** Versions 16.7.X should be updated. Versions 16.8 should be updated. Versions 16.8.1 should be updated.