CVE-2017-14754

MEDIUM

OpenText Document Sciences xPression < 4.5 - Authenticated Arbitrary File Read via xsd_datasource_schema_file Parameter

Title source: llm
STIX 2.1

Description

OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to Arbitrary File Read: /xAdmin/html/cm_datasource_group_xsd.jsp, parameter: xsd_datasource_schema_file filename. In order for this vulnerability to be exploited, an attacker must authenticate to the application first.

References (2)

Core 2
Core References
Mailing List, Third Party Advisory x_refsource_misc
http://seclists.org/fulldisclosure/2017/Sep/92
Permissions Required, Vendor Advisory x_refsource_misc
https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774

Scores

CVSS v3 6.5
EPSS 0.0130
EPSS Percentile 66.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-22
Status published
Products (1)
opentext/document_sciences_xpression < 4.5
Published Oct 03, 2017
Tracked Since Feb 18, 2026