CVE-2022-45928
HIGHOpenText Extended ECM 16.2.2-22.3 - Remote Code Execution via HTML File Parameter
Title source: llmDescription
A remote OScript execution issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). Multiple endpoints allow the user to pass the parameter htmlFile, which is included in the HTML output rendering pipeline of a request. Because the Content Server evaluates and executes Oscript code in HTML files, it is possible for an attacker to execute Oscript code. The Oscript scripting language allows the attacker (for example) to manipulate files on the filesystem, create new network connections, or execute OS commands.
References (3)
Core 3
Core References
Exploit, Third Party Advisory, VDB Entry
http://packetstormsecurity.com/files/170615/OpenText-Extended-ECM-22.3-File-Deletion-LFI-Privilege-Escsalation.html
Exploit, Third Party Advisory
https://sec-consult.com/vulnerability-lab/advisory/multiple-post-authentication-vulnerabilities-including-rce-opentexttm-extended-ecm/
Exploit, Mailing List, Third Party Advisory mailing-list
http://seclists.org/fulldisclosure/2023/Jan/14
Scores
CVSS v3
8.8
EPSS
0.0174
EPSS Percentile
74.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (1)
opentext/opentext_extended_ecm
16.2.2 - 22.3
Published
Jan 18, 2023
Tracked Since
Feb 18, 2026