PT-2026-20947 · Opentext · Opentext Web Site Management Server
Murat Altindis
·
Published
2026-02-19
·
Updated
2026-02-27
·
CVE-2025-9208
CVSS v4.0
7.5
High
| Vector | AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/S:P/AU:N/R:U/V:D/RE:H/U:Red |
Name of the Vulnerable Software and Affected Versions
OpenText Web Site Management Server versions 16.7.X, 16.8, and 16.8.1
Description
A flaw exists in OpenText Web Site Management Server that allows for Stored Cross-site Scripting (XSS). The issue occurs when the
download query parameter is removed from a file URL, potentially enabling attackers to execute malicious scripts on the client side. Successful exploitation could lead to compromised user sessions and data. The API endpoint involved is a file URL where the download parameter is processed. The vulnerable parameter is download.Recommendations
Versions 16.7.X should be updated.
Versions 16.8 should be updated.
Versions 16.8.1 should be updated.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Opentext Web Site Management Server