CVE-2018-20165

MEDIUM

OpenText Portal 7.4.4 - Cross-Site Scripting via vgnextoid Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-20165. PoCs published by hect0rS.

AI-analyzed exploit summary This repository contains a writeup describing a reflected XSS vulnerability in OpenText Portal v7.4.4, where arbitrary JavaScript can be injected via the vgnextoid URI parameter by closing an HTML comment sequence. The writeup includes evidence screenshots but no exploit code.

Description

Cross-site scripting (XSS) vulnerability in OpenText Portal 7.4.4 allows remote attackers to inject arbitrary web script or HTML via the vgnextoid parameter to a menuitem URI.

Exploits (1)

nomisec WRITEUP

by hect0rS · poc

https://github.com/hect0rS/Reflected-XSS-on-Opentext-Portal-v7.4.4

View Code ZIP pw:eip

This repository contains a writeup describing a reflected XSS vulnerability in OpenText Portal v7.4.4, where arbitrary JavaScript can be injected via the vgnextoid URI parameter by closing an HTML comment sequence. The writeup includes evidence screenshots but no exploit code.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: OpenText Portal v7.4.4

No auth needed

Prerequisites: Access to a vulnerable OpenText Portal instance

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Third Party Advisory x_refsource_misc

https://github.com/hect0rS/Reflected-XSS-on-Opentext-Portal-v7.4.4/blob/master/readme.md

View Writeup ZIP pw:eip

Scores

CVSS v3 6.1

EPSS 0.0095

EPSS Percentile 76.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

opentext/opentext_portal 7.4.4

Published Mar 22, 2019

Tracked Since Feb 18, 2026