PT-2017-13507 · Opentext · Opentext Documentum Administrator
Published
2017-09-27
·
Updated
2017-10-06
·
CVE-2017-14524
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
OpenText Documentum Administrator version 7.2.0180.0055
Description
The issue allows remote attackers to redirect users to arbitrary web sites, potentially leading to phishing attacks. This can be achieved via a URL in the
startat parameter to "xda/help/en/default.htm" or by using a slash encoded horizontal tab slash / %09/ followed by a domain in the redirectUrl parameter to "xda/component/virtuallinkconnect".Recommendations
For OpenText Documentum Administrator version 7.2.0180.0055, consider restricting access to the
startat and redirectUrl parameters to minimize the risk of exploitation. As a temporary workaround, avoid using the startat parameter in the "xda/help/en/default.htm" endpoint and restrict the redirectUrl parameter in the "xda/component/virtuallinkconnect" endpoint to trusted domains until a patch is available.Fix
Open Redirect
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Opentext Documentum Administrator