CVE-2025-13672 is a reflected Cross-site Scripting (XSS) vulnerability classified under CWE-79 affecting OpenText™ Web Site Management Server versions 16.7.0 and 16.7.1. The vulnerability stems from improper neutralization of user-supplied input during web page generation, specifically within URL parameters that are rendered in the page preview functionality. This flaw allows attackers to craft malicious URLs containing JavaScript payloads that execute in the context of the victim’s browser when the preview is accessed. The vulnerability requires the victim to interact with a maliciously crafted link, making social engineering a likely exploitation vector. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), partial privileges required (PR:L), user interaction required (UI:P), and high impact on confidentiality (VC:H), low impact on integrity (VI:L), and no impact on availability (VA:N). The scope is partial (S:P), meaning the vulnerability affects resources beyond the initially vulnerable component. No known exploits have been reported yet, but the high CVSS score reflects the potential severity. The vulnerability could lead to theft of sensitive information, session hijacking, or execution of arbitrary scripts in the user’s browser, undermining trust and security of the affected web application. The lack of current patches necessitates immediate mitigation steps to reduce risk.

The impact of CVE-2025-13672 is significant for organizations using OpenText Web Site Management Server 16.7.0 and 16.7.1. Successful exploitation can lead to client-side script execution, enabling attackers to steal session cookies, perform actions on behalf of users, or redirect users to malicious sites. This compromises confidentiality and integrity of user data and can facilitate further attacks such as phishing or malware distribution. The vulnerability affects the availability of trust in the web application, potentially damaging organizational reputation. Since the attack requires user interaction, phishing campaigns or social engineering could be used to lure victims. Enterprises with large user bases or sensitive data exposed via the affected server are at heightened risk. The partial scope impact means that the vulnerability could affect multiple components or users beyond the initially vulnerable module, increasing the potential damage. The absence of known exploits currently provides a window for proactive defense, but the high CVSS score underscores the urgency for remediation.

To mitigate CVE-2025-13672, organizations should first monitor OpenText’s official channels for patches addressing this vulnerability and apply them promptly once released. In the interim, implement strict input validation and output encoding on all user-supplied data, especially URL parameters used in page previews, to prevent script injection. Deploy Content Security Policy (CSP) headers to restrict execution of unauthorized scripts and reduce the impact of any injected code. Review and harden web application firewall (WAF) rules to detect and block suspicious payloads targeting the preview functionality. Educate users and administrators about the risks of clicking untrusted links to reduce successful social engineering attempts. Conduct thorough security testing of the Web Site Management Server environment to identify and remediate similar input validation issues. Limit privileges of accounts interacting with the preview feature to minimize potential damage. Finally, maintain comprehensive logging and monitoring to detect any anomalous activities that could indicate exploitation attempts.