CVE-2025-11884 - Vulnerability Details - OpenCVE

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in opentext uCMDB allows Stored XSS. The vulnerability could allow an attacker has high level access to UCMDB to create or update data with malicious scripts

This issue affects uCMDB: 24.4.

Attack Vector Network

Attack Complexity High

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact Low

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00047.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

https://portal.microfocus.com/s/article/KM000043674?language=en_US

Workaround

No workaround given by the vendor.

References

Link	Providers
https://portal.microfocus.com/s/article/KM000043674?language=en_US

History

Thu, 20 Nov 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 19 Nov 2025 21:30:00 +0000

Type	Values Removed	Values Added
Description		Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in opentext uCMDB allows Stored XSS. The vulnerability could allow an attacker has high level access to UCMDB to create or update data with malicious scripts This issue affects uCMDB: 24.4.
Title		Cross-site Scripting vulnerability discovered in OpenText™ Universal Discovery and CMDB
Weaknesses		CWE-79
References		https://portal.microfocus.com/s/article/KM000043674?language=en_US
Metrics		cvssV4_0 `{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L/S:N/AU:Y/R:U/V:C/RE:L/U:Green'}`

MITRE

Status: PUBLISHED

Assigner: OpenText

Published: 2025-11-19T21:13:48.572Z

Updated: 2025-11-20T14:35:24.781Z

Reserved: 2025-10-16T17:50:24.435Z

Link: CVE-2025-11884

Vulnrichment

Updated: 2025-11-20T14:35:22.161Z

NVD

Status : Awaiting Analysis

Published: 2025-11-19T22:16:02.690

Modified: 2025-11-21T15:13:59.083

Link: CVE-2025-11884

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11884", "assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84", "state": "PUBLISHED", "assignerShortName": "OpenText", "dateReserved": "2025-10-16T17:50:24.435Z", "datePublished": "2025-11-19T21:13:48.572Z", "dateUpdated": "2025-11-20T14:35:24.781Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "uCMDB", "vendor": "OpenText\u2122", "versions": [{"status": "affected", "version": "24.4"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Mateusz \"MaTTallica\" Klement"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in opentext uCMDB allows Stored XSS. The vulnerability could allow an<span style=\"background-color: rgb(255, 255, 255);\"> attacker has high level access to UCMDB to create or update data with malicious scripts</span>\n\n<p>This issue affects uCMDB: 24.4.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in opentext uCMDB allows Stored XSS. The vulnerability could allow\u00a0an\u00a0attacker has high level access to UCMDB to create or update data with malicious scripts\n\nThis issue affects uCMDB: 24.4."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "USER", "Safety": "NEGLIGIBLE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 2.3, "baseSeverity": "LOW", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "GREEN", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L/S:N/AU:Y/R:U/V:C/RE:L/U:Green", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "LOW"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f81092c5-7f14-476d-80dc-24857f90be84", "shortName": "OpenText", "dateUpdated": "2025-11-19T21:13:48.572Z"}, "references": [{"url": "https://portal.microfocus.com/s/article/KM000043674?language=en_US"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<a target=\"_blank\" rel=\"nofollow\" href=\"https://portal.microfocus.com/s/article/KM000043674?language=en_US\">https://portal.microfocus.com/s/article/KM000043674?language=en_US</a><br>"}], "value": "https://portal.microfocus.com/s/article/KM000043674?language=en_US"}], "source": {"discovery": "UNKNOWN"}, "title": "Cross-site Scripting vulnerability discovered in OpenText\u2122 Universal Discovery and CMDB", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-20T14:35:18.595822Z", "id": "CVE-2025-11884", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-20T14:35:24.781Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11884", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-20T14:35:18.595822Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-20T14:35:22.161Z"}}], "cna": {"title": "Cross-site Scripting vulnerability discovered in OpenText\u2122 Universal Discovery and CMDB", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Mateusz \"MaTTallica\" Klement"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "USER", "baseScore": 2.3, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L/S:N/AU:Y/R:U/V:C/RE:L/U:Green", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "GREEN", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "OpenText\u2122", "product": "uCMDB", "versions": [{"status": "affected", "version": "24.4"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "https://portal.microfocus.com/s/article/KM000043674?language=en_US", "supportingMedia": [{"type": "text/html", "value": "<a target=\"_blank\" rel=\"nofollow\" href=\"https://portal.microfocus.com/s/article/KM000043674?language=en_US\">https://portal.microfocus.com/s/article/KM000043674?language=en_US</a><br>", "base64": false}]}], "references": [{"url": "https://portal.microfocus.com/s/article/KM000043674?language=en_US"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in opentext uCMDB allows Stored XSS. The vulnerability could allow\u00a0an\u00a0attacker has high level access to UCMDB to create or update data with malicious scripts\n\nThis issue affects uCMDB: 24.4.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in opentext uCMDB allows Stored XSS. The vulnerability could allow an<span style=\"background-color: rgb(255, 255, 255);\"> attacker has high level access to UCMDB to create or update data with malicious scripts</span>\n\n<p>This issue affects uCMDB: 24.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "f81092c5-7f14-476d-80dc-24857f90be84", "shortName": "OpenText", "dateUpdated": "2025-11-19T21:13:48.572Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11884", "state": "PUBLISHED", "dateUpdated": "2025-11-20T14:35:24.781Z", "dateReserved": "2025-10-16T17:50:24.435Z", "assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84", "datePublished": "2025-11-19T21:13:48.572Z", "assignerShortName": "OpenText"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in opentext uCMDB allows Stored XSS. The vulnerability could allow\u00a0an\u00a0attacker has high level access to UCMDB to create or update data with malicious scripts\n\nThis issue affects uCMDB: 24.4."}], "id": "CVE-2025-11884", "lastModified": "2025-11-21T15:13:59.083", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "USER", "Safety": "NEGLIGIBLE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "GREEN", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:L/U:Green", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "LOW"}, "source": "security@opentext.com", "type": "Secondary"}]}, "published": "2025-11-19T22:16:02.690", "references": [{"source": "security@opentext.com", "url": "https://portal.microfocus.com/s/article/KM000043674?language=en_US"}], "sourceIdentifier": "security@opentext.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@opentext.com", "type": "Primary"}]}