CVE-2022-45928
Summary
| CVE | CVE-2022-45928 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-01-18 21:15:00 UTC |
| Updated | 2023-01-25 21:28:00 UTC |
| Description | A remote OScript execution issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). Multiple endpoints allow the user to pass the parameter htmlFile, which is included in the HTML output rendering pipeline of a request. Because the Content Server evaluates and executes Oscript code in HTML files, it is possible for an attacker to execute Oscript code. The Oscript scripting language allows the attacker (for example) to manipulate files on the filesystem, create new network connections, or execute OS commands. |
Risk And Classification
Problem Types: NVD-CWE-Other
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Opentext | Opentext Extended Ecm | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Multiple post-authentication vulnerabilities including RCE (OpenText™ Extended ECM) | MISC | sec-consult.com | |
| Full Disclosure: SEC Consult SA-20230117-2 :: Multiple post-authentication vulnerabilities including RCE in @OpenText Content Server component of OpenText Extended ECM | FULLDISC | seclists.org | |
| OpenText Extended ECM 22.3 File Deletion / LFI / Privilege Escsalation ≈ Packet Storm | MISC | packetstormsecurity.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.