Vulnerability Description
A remote OScript execution issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). Multiple endpoints allow the user to pass the parameter htmlFile, which is included in the HTML output rendering pipeline of a request. Because the Content Server evaluates and executes Oscript code in HTML files, it is possible for an attacker to execute Oscript code. The Oscript scripting language allows the attacker (for example) to manipulate files on the filesystem, create new network connections, or execute OS commands.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Opentext | Opentext Extended Ecm | >= 16.2.2, <= 22.3 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/170615/OpenText-Extended-ECM-22.3-File-DeleExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2023/Jan/14ExploitMailing ListThird Party Advisory
- https://sec-consult.com/vulnerability-lab/advisory/multiple-post-authentication-ExploitThird Party Advisory
- http://packetstormsecurity.com/files/170615/OpenText-Extended-ECM-22.3-File-DeleExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2023/Jan/14ExploitMailing ListThird Party Advisory
- https://sec-consult.com/vulnerability-lab/advisory/multiple-post-authentication-ExploitThird Party Advisory
FAQ
What is CVE-2022-45928?
CVE-2022-45928 is a vulnerability with a CVSS score of 8.8 (HIGH). A remote OScript execution issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). Multiple endpoints allow the user to pass the parameter htmlFile, which is included in the HTML ...
How severe is CVE-2022-45928?
CVE-2022-45928 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-45928?
Check the references section above for vendor advisories and patch information. Affected products include: Opentext Opentext Extended Ecm.