CVE-2025-13672 is a reflected Cross-site Scripting (XSS) vulnerability identified in OpenText Web Site Management Server versions 16.7.0 and 16.7.1. The root cause is improper neutralization of user-supplied input during the generation of web pages, specifically in the preview functionality where URL parameters are rendered without adequate sanitization. This flaw allows an attacker to craft malicious URLs containing JavaScript payloads that execute in the context of the victim's browser when the preview page is accessed. The vulnerability is classified under CWE-79, indicating failure to properly sanitize input leading to script injection. The CVSS 4.0 base score is 7.0, reflecting high severity due to network attack vector, low attack complexity, partial user interaction, and significant impact on confidentiality and integrity. The vulnerability does not require authentication but does require some user interaction (clicking a malicious link). The scope is partial, affecting only the Web Site Management Server component. No public exploits have been reported yet, but the nature of reflected XSS makes it a common and exploitable attack vector. This vulnerability could be leveraged for session hijacking, credential theft, or delivering further malware via client-side script execution.

The primary impact of CVE-2025-13672 is the execution of arbitrary JavaScript code in the context of the victim's browser, which can lead to theft of sensitive information such as session cookies, credentials, or other data accessible to the browser. This can compromise user confidentiality and integrity. Additionally, attackers could perform actions on behalf of the user or redirect users to malicious sites. For organizations, this can result in data breaches, loss of user trust, and potential regulatory penalties. Since the vulnerability affects a web content management system, it may impact websites managed by affected organizations, potentially exposing their user base to attacks. The requirement for user interaction (clicking a malicious link) somewhat limits the attack surface but does not eliminate risk, especially in phishing scenarios. The lack of known exploits in the wild suggests the threat is currently theoretical but should be treated proactively given the ease of exploitation and high impact.

Organizations should immediately assess their use of OpenText Web Site Management Server versions 16.7.0 and 16.7.1 and plan to upgrade to a patched version once available. In the absence of patches, implement strict input validation and output encoding on all user-supplied data, especially URL parameters rendered in previews. Employ Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of XSS attacks. Educate users to be cautious with unsolicited links and implement web application firewalls (WAFs) with rules to detect and block reflected XSS payloads targeting the affected endpoints. Regularly audit web application logs for suspicious URL patterns. Additionally, disable or restrict the preview functionality if it is not essential, or isolate it behind authentication and access controls to reduce exposure. Monitor vendor advisories for updates and apply security patches promptly.