CVE-2025-0883 is a vulnerability classified under CWE-81, which involves improper neutralization of script in an error message web page within OpenText™ Service Manager versions 9.70, 9.71, 9.72, and 9.80. This vulnerability arises when the application fails to properly sanitize or encode script content embedded in error messages displayed to users. As a result, an attacker could inject malicious scripts into error pages, which would then be executed by the victim's browser. The primary risk here is the potential exposure of sensitive information retained by the browser, such as cookies, session tokens, or other data accessible via the Document Object Model (DOM). However, the vulnerability does not appear to allow direct code execution on the server or full cross-site scripting (XSS) exploitation that leads to account takeover or privilege escalation. The CVSS 4.0 score of 2.1 reflects a low severity, indicating that exploitation requires high attack complexity, partial user interaction, and limited privileges. The vulnerability does not affect availability or integrity directly but poses a confidentiality risk through information disclosure. No known exploits are currently reported in the wild, and no patches have been linked yet. The issue is specific to error message handling in the affected OpenText Service Manager versions, which are enterprise IT service management solutions used for managing IT services and workflows.

For European organizations using OpenText Service Manager versions 9.70 through 9.80, this vulnerability could lead to unintended disclosure of sensitive information stored in users' browsers when error pages are triggered. This could include session cookies or other data that might facilitate further attacks such as session hijacking or targeted phishing. Although the severity is low, the impact could be more pronounced in environments where sensitive or regulated data is handled, such as financial institutions, healthcare providers, or government agencies. The vulnerability could undermine user trust and compliance with data protection regulations like GDPR if sensitive personal data is exposed. However, the limited exploitability and lack of known active exploitation reduce the immediate risk. Still, attackers might chain this vulnerability with others to escalate impact. The risk is heightened in scenarios where users frequently encounter error pages or where error messages are exposed to untrusted inputs without additional filtering.

Organizations should prioritize upgrading to a patched version of OpenText Service Manager once available. In the interim, administrators can implement strict input validation and output encoding on error message content to neutralize any embedded scripts. Web application firewalls (WAFs) can be configured to detect and block suspicious script injections in error responses. Additionally, limiting user privileges and enforcing least privilege principles can reduce the risk of exploitation. Monitoring and logging error page accesses for unusual patterns may help detect attempted exploitation. Educating users about the risks of interacting with unexpected error messages and encouraging cautious behavior can also mitigate impact. Finally, organizations should review browser security settings to limit the exposure of sensitive data to scripts, such as enforcing HttpOnly and Secure flags on cookies and employing Content Security Policy (CSP) headers to restrict script execution origins.