CVE-2025-13871 | THREATINT

Description

Cross-Site Request Forgery (CSRF) in the resource-management feature of ObjectPlanet Opinio 7.26 rev12562 allows to upload files on behalf of the connected users and then access such files without authentication.

PUBLISHED Reserved 2025-12-02 | Published 2025-12-02 | Updated 2025-12-02 | Assigner TCS-CERT

LOW: 2.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-352 Cross-Site Request Forgery (CSRF)

Product status

Default status

unknown

7.26 rev12562

affected

Timeline

2024-12-01:	Vulnerability discovery
2024-12-10:	Vulnerability Report to TCS-CERT
2024-12-19:	Vulnerability Report to Vendor through email : opinio@support.objectplanet.com
2024-12-24:	Feedback asked to vendor, check if the vendor received the PoC in an encrypted archive
2025-01-10:	New follow-up email was send to the vendor
2025-01-13:	Vendor confirmed the reception of the PoC, vendor asked to wait 90-day period before publishing (responsible disclosure), and will try to fix the vulnerability
2025-01-14:	Answer to vendor to acknowledge 90 days period
2025-03-10:	Vendor informed us that they will realse the fix by the end of this month
2025-04-23:	An email was sent to check where they stand on the release and fixes for the reported issues
2025-06-21:	A feedback was requested from vendor regarding their progreess
2025-06-30:	A feedback was requested from vendor regarding their progreess
2025-07-31:	The vendor released the newer fixed version which is the Opinio Version 7.27

Credits

Dominique Righetto finder

References

www.objectplanet.com/opinio/changelog.html release-notes

cve.org (CVE-2025-13871)

nvd.nist.gov (CVE-2025-13871)

Download JSON