An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). The Java application server can be used to bypass the authentication of the QDS endpoints of the Content Server. These endpoints can be used to create objects and execute arbitrary code.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/170614/OpenText-Extended-ECM-22.3-Java-Frontend-Remote-Code-Execution.html | Exploit Third Party Advisory VDB Entry |
http://seclists.org/fulldisclosure/2023/Jan/13 | Exploit Mailing List Third Party Advisory |
https://sec-consult.com/vulnerability-lab/advisory/pre-authenticated-remote-code-execution-via-java-frontend-qds-endpoint-opentext-extended-ecm/ | Exploit Third Party Advisory |
Configurations
History
30 Jan 2023, 15:28
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
First Time |
Opentext opentext Extended Ecm
Opentext |
|
CWE | CWE-639 | |
CPE | cpe:2.3:a:opentext:opentext_extended_ecm:*:*:*:*:*:*:*:* | |
References | (MISC) http://packetstormsecurity.com/files/170614/OpenText-Extended-ECM-22.3-Java-Frontend-Remote-Code-Execution.html - Exploit, Third Party Advisory, VDB Entry | |
References | (MISC) https://sec-consult.com/vulnerability-lab/advisory/pre-authenticated-remote-code-execution-via-java-frontend-qds-endpoint-opentext-extended-ecm/ - Exploit, Third Party Advisory | |
References | (FULLDISC) http://seclists.org/fulldisclosure/2023/Jan/13 - Exploit, Mailing List, Third Party Advisory |
20 Jan 2023, 19:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Jan 2023, 05:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
18 Jan 2023, 23:38
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-01-18 22:15
Updated : 2023-12-10 14:48
NVD link : CVE-2022-45927
Mitre link : CVE-2022-45927
CVE.ORG link : CVE-2022-45927
JSON object : View
Products Affected
opentext
- opentext_extended_ecm
CWE
CWE-639
Authorization Bypass Through User-Controlled Key