"Critical Vulnerabilities Patched in OpenText Enterprise Content Management System"
Security researchers at Sec Consult have discovered several vulnerabilities described as having a critical and high impact, including ones allowing unauthenticated remote code execution, in OpenText's enterprise content management (ECM) product. OpenText's Extended ECM is designed for managing the distribution and use of information across an organization. Specifically, the flaws impact the product's Content Server component. The researchers informed OpenText about the vulnerabilities in October 2022 and patched them earlier this month with the release of version 22.4. The researchers stated that one of the critical vulnerabilities, tracked as CVE-2022-45923, can allow an unauthenticated attacker to execute arbitrary code using specially crafted requests. The second critical flaw, CVE-2022-45927, impacts the Java Frontend of the OpenText Content Server component and can allow an attacker to bypass authentication. The researchers noted that exploitation could ultimately lead to remote code execution. The researchers also identified five types of vulnerabilities in the Content Server component that can be exploited by authenticated attackers. These issues, rated "high impact," can be exploited to delete arbitrary files on the server, escalate privileges, obtain potentially valuable information, launch server-side request forgery (SSRF) attacks, and execute arbitrary code. The researchers noted that Proof-of-concept (PoC) code is available for the high-impact issues.