PT-2017-13508 · Opentext · Opentext Documentum Webtop

Published

2017-09-27

Updated

2017-10-06

CVE-2017-14525

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions OpenText Documentum Webtop version 6.8.0160.0073

Description The issue allows remote attackers to redirect users to arbitrary web sites, potentially leading to phishing attacks. This can be achieved via a URL in the startat parameter to "xda/help/en/default.htm" or by using a slash encoded horizontal tab slash (/%09/) followed by a domain in the redirectUrl parameter to "xda/component/virtuallinkconnect".

Recommendations For OpenText Documentum Webtop version 6.8.0160.0073, consider restricting access to the startat and redirectUrl parameters in the affected API endpoints until a patch is available. As a temporary workaround, avoid using the startat parameter in the "xda/help/en/default.htm" endpoint and restrict the redirectUrl parameter in the "xda/component/virtuallinkconnect" endpoint to minimize the risk of exploitation.

Fix

Open Redirect

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-601

Related Identifiers

CVE-2017-14525

Affected Products

Opentext Documentum Webtop

PT-2017-13508 · Opentext · Opentext Documentum Webtop

CVE-2017-14525

Weakness Enumeration

Related Identifiers

Affected Products

References · 4