CVE-2025-13872
📋 TL;DR
This vulnerability allows attackers to perform blind Server-Side Request Forgery (SSRF) attacks through the survey-import feature of ObjectPlanet Opinio. Attackers can force the server to make HTTP GET requests to arbitrary internal or external destinations. Organizations running vulnerable versions of ObjectPlanet Opinio on web platforms are affected.
💻 Affected Systems
- ObjectPlanet Opinio
📦 What is this software?
Opinio by Objectplanet
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, exfiltrate sensitive data, or pivot to internal networks by making the server request internal resources.
Likely Case
Information disclosure from internal services, reconnaissance of internal network structure, or potential data exfiltration.
If Mitigated
Limited impact if network segmentation restricts server outbound connections and internal service access.
🎯 Exploit Status
Requires access to the survey-import feature, but exploitation is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor changelog for fixed version
Vendor Advisory: https://www.objectplanet.com/opinio/changelog.html
Restart Required: Yes
Instructions:
1. Check the vendor changelog for the fixed version
2. Download and install the latest version from ObjectPlanet
3. Restart the Opinio application service
4. Verify the fix by testing the survey-import feature
🔧 Temporary Workarounds
Disable survey-import feature
allTemporarily disable the vulnerable survey-import functionality
Modify application configuration to disable import features
Network egress filtering
allRestrict outbound HTTP requests from the Opinio server
Configure firewall rules to limit server outbound connections
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the Opinio server from internal resources
- Deploy a web application firewall (WAF) with SSRF protection rules
🔍 How to Verify
Check if Vulnerable:
Test if the survey-import feature accepts URLs to internal services or external domainsCheck Version:
Check application version in admin interface or configuration filesVerify Fix Applied:
Attempt to trigger SSRF through survey-import and verify requests are blocked or validated📡 Detection & Monitoring
Log Indicators:
- Unusual import requests with external URLs
- Multiple failed import attempts
- Requests to internal IP addresses from the Opinio server
Network Indicators:
- Outbound HTTP requests from Opinio server to unusual destinations
- Requests to internal services from the application server
SIEM Query:
source="opinio_logs" AND (url_import OR survey_import) AND (contains("http://") OR contains("https://"))