CVE-2022-45925
HIGHOpenText Extended ECM 16.2.2-22.3 - Information Disclosure via xmlexport requestContext Parameter
Title source: llmDescription
An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). The action xmlexport accepts the parameter requestContext. If this parameter is present, the response includes most of the HTTP headers sent to the server and some of the CGI variables like remote_adde and server_name, which is an information disclosure.
References (3)
Core 3
Core References
Exploit, Third Party Advisory, VDB Entry
http://packetstormsecurity.com/files/170615/OpenText-Extended-ECM-22.3-File-Deletion-LFI-Privilege-Escsalation.html
Exploit, Third Party Advisory
https://sec-consult.com/vulnerability-lab/advisory/multiple-post-authentication-vulnerabilities-including-rce-opentexttm-extended-ecm/
Exploit, Mailing List, Third Party Advisory mailing-list
http://seclists.org/fulldisclosure/2023/Jan/14
Scores
CVSS v3
7.5
EPSS
0.1694
EPSS Percentile
96.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (1)
opentext/opentext_extended_ecm
16.2.2 - 22.3
Published
Jan 18, 2023
Tracked Since
Feb 18, 2026