CVE-2025-13672

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ Web Site Management Server allows Reflected XSS. The vulnerability could allow injecting malicious JavaScript inside URL parameters that was then rendered with the preview of the page, so that malicious scripts could be executed on the client side. This issue affects Web Site Management Server: 16.7.0, 16.7.1.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://support.opentext.com/csm/en?id=ot_kb_unauthenticated&sysparm_article=KB0854847	Vendor Advisory
https://github.com/MarioTesoro/vulnerability-research/blob/main/CVE-2025-13672/README.md	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:opentext:web_site_management_server:16.7.0:::::::*
	cpe:2.3:a:opentext:web_site_management_server:16.7.1:::::::*

History

No history.

Information

Published : 2026-02-19 23:16

Updated : 2026-02-27 23:55

NVD link : CVE-2025-13672

Mitre link : CVE-2025-13672

CVE.ORG link : CVE-2025-13672

JSON object : View

Products Affected

opentext

web_site_management_server

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-13672", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}], "cvssMetricV40": [{"type": "Secondary", "source": "security@opentext.com", "cvssData": {"Safety": "PRESENT", "version": "4.0", "Recovery": "USER", "baseScore": 7.0, "Automatable": "NO", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:N/R:U/V:D/RE:H/U:Red", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "RED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "HIGH", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-19T23:16:15.090", "references": [{"url": "https://support.opentext.com/csm/en?id=ot_kb_unauthenticated&sysparm_article=KB0854847", "tags": ["Vendor Advisory"], "source": "security@opentext.com"}, {"url": "https://github.com/MarioTesoro/vulnerability-research/blob/main/CVE-2025-13672/README.md", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@opentext.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText\u2122 Web Site Management Server allows Reflected XSS. The vulnerability could allow\u00a0injecting malicious JavaScript inside URL parameters that was then rendered with the preview of the page, so that malicious scripts could be executed on the client side.\n\nThis issue affects Web Site Management Server: 16.7.0, 16.7.1."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web (XSS o 'cross-site scripting') vulnerabilidad en OpenText\u2122 Web Site Management Server permite XSS Reflejado. La vulnerabilidad podr\u00eda permitir la inyecci\u00f3n de JavaScript malicioso dentro de los par\u00e1metros de la URL que luego se renderizaba con la vista previa de la p\u00e1gina, de modo que los scripts maliciosos pudieran ejecutarse en el lado del cliente.\n\nEste problema afecta a Web Site Management Server: 16.7.0, 16.7.1."}], "lastModified": "2026-02-27T23:55:48.210", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:opentext:web_site_management_server:16.7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E000A1B5-35A3-4D7C-9F19-F25445CCBF7D"}, {"criteria": "cpe:2.3:a:opentext:web_site_management_server:16.7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4A7FFB19-6DF1-433A-9304-F483CEAE2646"}], "operator": "OR"}]}], "sourceIdentifier": "security@opentext.com"}