CVE-2017-14526

Name of the Vulnerable Software and Affected Versions OpenText Documentum Administrator version 7.2.0180.0055

Description The issue is related to incorrect restriction of XML external entities (XXE) in the OpenText Documentum Administrator. This can be exploited by a remote attacker to read arbitrary files, cause a denial of service, or obtain user hashes on Windows systems. The exploitation involves crafted XML structures, such as a DTD, in requests to specific API endpoints like xda/com/documentum/ucf/server/transport/impl/GAIRConnector, or through the import or check-in of crafted XML files in a MediaProfile file.

Recommendations For OpenText Documentum Administrator version 7.2.0180.0055, consider disabling the import and check-in functionality for XML files in MediaProfile until a patch is available. Restrict access to the xda/com/documentum/ucf/server/transport/impl/GAIRConnector endpoint to minimize the risk of exploitation. Avoid using crafted DTDs or XML structures in requests to prevent potential attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.