CVE-2025-9208 is a stored Cross-site Scripting (XSS) vulnerability classified under CWE-79 affecting OpenText™ Web Site Management Server versions 16.7.x, 16.8, and 16.8.1. The vulnerability stems from improper input neutralization during web page generation, specifically when the 'download' query parameter is removed from file URLs. This flaw allows an attacker to inject malicious JavaScript code that is stored on the server and executed in the browsers of users who access the affected pages. The attack vector is network-based with low complexity, requiring some privileges and user interaction, but no authentication is necessary. Successful exploitation can lead to session hijacking, theft of sensitive information, and potential further compromise of user accounts or systems. The CVSS 4.0 base score is 7.5 (high), reflecting significant impact on confidentiality, integrity, and availability with partial scope change. Although no known exploits are currently reported in the wild, the vulnerability poses a serious risk to organizations relying on the affected OpenText product for website management. The vulnerability highlights the importance of proper input validation and output encoding in web applications to prevent script injection attacks.

The impact of CVE-2025-9208 is substantial for organizations using vulnerable versions of OpenText Web Site Management Server. Exploitation can lead to execution of arbitrary scripts in the context of users’ browsers, enabling attackers to hijack user sessions, steal credentials, manipulate or exfiltrate sensitive data, and potentially pivot to further internal network compromise. This undermines the confidentiality and integrity of user data and may disrupt availability if malicious scripts perform destructive actions. Given the product’s role in managing web content, compromised sites could also damage organizational reputation and trust. The vulnerability affects a broad range of industries that utilize OpenText for content management, including government, finance, healthcare, and large enterprises. The ease of exploitation combined with the potential for stored XSS to affect multiple users increases the threat severity. Organizations lacking timely patching or mitigations risk significant operational and data security consequences.

To mitigate CVE-2025-9208, organizations should immediately upgrade OpenText Web Site Management Server to a patched version once available. In the absence of official patches, implement strict input validation and output encoding on all user-controllable inputs, especially those related to file URLs and query parameters like 'download'. Employ Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of injected scripts. Regularly audit and sanitize stored content to detect and remove malicious scripts. Limit user privileges to reduce the ability of attackers to inject payloads. Monitor web server logs for suspicious requests involving the 'download' parameter manipulation. Educate users about the risks of interacting with untrusted links. Finally, conduct penetration testing focused on XSS vectors to validate the effectiveness of mitigations.