CVE-2025-9208 in Web Site Management Server
Summary
by MITRE • 02/20/2026
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ Web Site Management Server allows Stored XSS. The vulnerability could execute malicious scripts on the client side when the download query parameter is removed from the file URL, allowing attackers to compromise user sessions and data.
This issue affects Web Site Management Server: 16.7.X, 16.8, 16.8.1.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/28/2026
The CVE-2025-9208 vulnerability represents a critical stored cross-site scripting flaw within OpenText™ Web Site Management Server versions 16.7.X, 16.8, and 16.8.1. This vulnerability falls under the CWE-79 category of Cross-site Scripting and specifically manifests as a stored XSS attack vector that can persistently compromise user sessions and sensitive data. The flaw occurs during the web page generation process when input validation is insufficiently applied to user-supplied data, creating an environment where malicious scripts can be injected and subsequently executed in the context of other users' browsers.
The technical exploitation of this vulnerability occurs when attackers manipulate the download query parameter within file URLs, removing it in a manner that allows malicious payloads to be stored within the application's database or configuration files. This stored payload then executes whenever legitimate users access the affected web pages, particularly when the application processes the modified file URLs. The vulnerability's persistence stems from the server's failure to properly sanitize or escape user input during the web page generation phase, allowing attacker-controlled scripts to be rendered as part of the normal page content.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to hijack user sessions, steal sensitive information, perform unauthorized actions on behalf of victims, and potentially gain access to administrative functions. When combined with the specific context of the download parameter manipulation, attackers can craft persistent malicious URLs that remain effective across multiple user sessions and page views. This vulnerability directly aligns with ATT&CK technique T1531 for Account Access Removal and T1071.004 for Application Layer Protocol: DNS, as it enables attackers to establish persistent access to user accounts and manipulate application behavior through crafted input.
Organizations affected by this vulnerability should immediately implement input validation and output encoding measures to prevent malicious scripts from being stored or executed within the web application. The recommended mitigations include implementing proper parameter sanitization for all user-supplied data, particularly query parameters and URL components, and deploying Content Security Policy headers to limit script execution. Additionally, regular security scanning and input validation should be enforced at multiple layers of the application architecture, with particular attention to the web page generation process where the vulnerability is most prevalent. The fix should address the root cause by ensuring that all user-supplied parameters undergo proper validation and encoding before being processed or stored within the application's data structures, preventing the persistence of malicious content that could compromise user sessions and data integrity.