Home

Description

Blind Server-Side Request Forgery (SSRF) in the survey-import feature of ObjectPlanet Opinio 7.26 rev12562 on Web-based platforms allows an attacker to force the server to perform HTTP GET requests via crafted import requests to an arbitrary destination.

PUBLISHED Reserved 2025-12-02 | Published 2025-12-02 | Updated 2025-12-02 | Assigner TCS-CERT




LOW: 2.1CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

Problem types

CWE-918 Server-Side Request Forgery (SSRF)

Product status

Default status
unknown

7.26 rev12562
affected

Timeline

2024-12-01:Vulnerability discovery
2024-12-10:Vulnerability Report to TCS-CERT
2024-12-19:Vulnerability Report to Vendor through email : opinio@support.objectplanet.com
2024-12-24:Feedback asked to vendor, check if the vendor received the PoC in an encrypted archive
2025-01-10:New follow-up email was send to the vendor
2025-01-13:Vendor confirmed the reception of the PoC, vendor asked to wait 90-day period before publishing (responsible disclosure), and will try to fix the vulnerability
2025-01-14:Answer to vendor to acknowledge 90 days period
2025-03-10:Vendor informed us that they will realse the fix by the end of this month
2025-04-23:An email was sent to check where they stand on the release and fixes for the reported issues
2025-06-21:A feedback was requested from vendor regarding their progreess
2025-06-30:A feedback was requested from vendor regarding their progreess
2025-07-31:The vendor released the newer fixed version which is the Opinio Version 7.27

Credits

Dominique Righetto finder

References

www.objectplanet.com/opinio/changelog.html release-notes

cve.org (CVE-2025-13872)

nvd.nist.gov (CVE-2025-13872)

Download JSON