Filtered by vendor Opentext
Subscriptions
Total
138 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-15014 | 1 Opentext | 1 Documentum Content Server | 2025-04-20 | N/A |
| OpenText Documentum Content Server (formerly EMC Documentum Content Server) through 7.3 contains the following design gap, which allows authenticated users to download arbitrary content files regardless of the attacker's repository permissions: When an authenticated user uploads content to the repository, he performs the following steps: (1) calls the START_PUSH RPC-command; (2) uploads the file to the content server; (3) calls the END_PUSH_V2 RPC-command (here, Content Server returns a DATA_TICKET integer, intended to identify the location of the uploaded file on the Content Server filesystem); (4) creates a dmr_content object in the repository, which has a value of data_ticket equal to the value of DATA_TICKET returned at the end of END_PUSH_V2 call. As the result of this design, any authenticated user may create his own dmr_content object, pointing to already existing content in the Content Server filesystem. | ||||
| CVE-2017-15012 | 1 Opentext | 1 Documentum Content Server | 2025-04-20 | N/A |
| OpenText Documentum Content Server (formerly EMC Documentum Content Server) through 7.3 does not properly validate the input of the PUT_FILE RPC-command, which allows any authenticated user to hijack an arbitrary file from the Content Server filesystem; because some files on the Content Server filesystem are security-sensitive, this leads to privilege escalation. | ||||
| CVE-2017-14754 | 1 Opentext | 1 Document Sciences Xpression | 2025-04-20 | N/A |
| OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to Arbitrary File Read: /xAdmin/html/cm_datasource_group_xsd.jsp, parameter: xsd_datasource_schema_file filename. In order for this vulnerability to be exploited, an attacker must authenticate to the application first. | ||||
| CVE-2015-6530 | 1 Opentext | 2 Secure Mft 2013, Secure Mft 2014 | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in OpenText Secure MFT 2013 before 2013 R3 P6 and 2014 before 2014 R2 P2 allows remote attackers to inject arbitrary web script or HTML via the querytext parameter to userdashboard.jsp. | ||||
| CVE-2013-6994 | 1 Opentext | 1 Exceed Ondemand | 2025-04-12 | N/A |
| OpenText Exceed OnDemand (EoD) 8 transmits the session ID in cleartext, which allows remote attackers to perform session fixation attacks by sniffing the network. | ||||
| CVE-2013-6806 | 1 Opentext | 1 Exceed Ondemand | 2025-04-12 | N/A |
| OpenText Exceed OnDemand (EoD) 8 allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information via a crafted string in a response, which triggers a downgrade to simple authentication that sends credentials in plaintext. | ||||
| CVE-2013-6807 | 1 Opentext | 1 Exceed Ondemand | 2025-04-12 | N/A |
| The client in OpenText Exceed OnDemand (EoD) 8 supports anonymous ciphers by default, which allows man-in-the-middle attackers to bypass server certificate validation, redirect a connection, and obtain sensitive information via crafted responses. | ||||
| CVE-2013-6805 | 1 Opentext | 1 Exceed Ondemand | 2025-04-12 | N/A |
| OpenText Exceed OnDemand (EoD) 8 uses weak encryption for passwords, which makes it easier for (1) remote attackers to discover credentials by sniffing the network or (2) local users to discover credentials by reading a .eod8 file. | ||||
| CVE-2010-5283 | 1 Opentext | 1 Livelink Ecm | 2025-04-11 | N/A |
| Cross-site request forgery (CSRF) vulnerability in OpenText ECM (formerly Livelink ECM) 9.7.1 allows remote attackers to hijack the authentication of administrators for requests that change folder and resource permissions. | ||||
| CVE-2013-3243 | 2 Opentext, Sap | 2 Opentext\/ixos Ecm For Sap Netweaver, Netweaver | 2025-04-11 | N/A |
| Unspecified vulnerability in OpenText/IXOS ECM for SAP NetWeaver allows remote attackers to execute arbitrary ABAP code via unknown vectors. | ||||
| CVE-2010-5282 | 1 Opentext | 1 Livelink Ecm | 2025-04-11 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in OpenText ECM (formerly Livelink ECM) 9.7.1 allow remote attackers to inject arbitrary web script or HTML via the (1) viewType and (2) sort parameters in a browse action to livelink/livelink; and the (3) nodeid, (4) setctx, and (5) support parameters to livelinkdav/nodes/OOB_DAVWindow.html. | ||||
| CVE-2023-24467 | 2 Microfocus, Opentext | 2 Imanager, Imanager | 2025-04-10 | 8.8 High |
| Possible Command Injection in iManager GET parameter has been discovered in OpenText™ iManager 3.2.6.0000. | ||||
| CVE-2023-24466 | 2 Microfocus, Opentext | 2 Imanager, Imanager | 2025-04-10 | 7.5 High |
| Possible XML External Entity Injection in iManager GET parameter has been discovered in OpenText™ iManager 3.2.6.0200. | ||||
| CVE-2021-38117 | 2 Microfocus, Opentext | 2 Imanager, Imanager | 2025-04-10 | 8.8 High |
| Possible Command injection Vulnerability in iManager has been discovered in OpenText™ iManager 3.2.4.0000. | ||||
| CVE-2021-38116 | 2 Microfocus, Opentext | 2 Imanager, Imanager | 2025-04-10 | 8.8 High |
| Possible Elevation of Privilege Vulnerability in iManager has been discovered in OpenText™ iManager. This impacts all versions before 3.2.5 | ||||
| CVE-2008-0769 | 1 Opentext | 1 Livelink Ecm | 2025-04-09 | N/A |
| Cross-site scripting (XSS) vulnerability in Livelink ECM 9.0.0 through 9.7.0 and possibly earlier does not set the charset, which allows remote attackers to inject arbitrary web script or HTML via UTF-7 encoded input. | ||||
| CVE-2022-45926 | 1 Opentext | 1 Opentext Extended Ecm | 2025-04-04 | 8.8 High |
| An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). The endpoint notify.localizeEmailTemplate allows a low-privilege user to evaluate webreports. | ||||
| CVE-2022-45925 | 1 Opentext | 1 Opentext Extended Ecm | 2025-04-04 | 7.5 High |
| An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). The action xmlexport accepts the parameter requestContext. If this parameter is present, the response includes most of the HTTP headers sent to the server and some of the CGI variables like remote_adde and server_name, which is an information disclosure. | ||||
| CVE-2022-45924 | 1 Opentext | 1 Opentext Extended Ecm | 2025-04-04 | 8.1 High |
| An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). The endpoint itemtemplate.createtemplate2 allows a low-privilege user to delete arbitrary files on the server's local filesystem. | ||||
| CVE-2022-45923 | 1 Opentext | 1 Opentext Extended Ecm | 2025-04-04 | 8.8 High |
| An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). The Common Gateway Interface (CGI) program cs.exe allows an attacker to increase/decrease an arbitrary memory address by 1 and trigger a call to a method of a vftable with a vftable pointer value chosen by the attacker. | ||||