CVE-2025-13671

Cross-Site Request Forgery (CSRF) vulnerability in OpenText™ Web Site Management Server allows Cross Site Request Forgery. The vulnerability could make a user, with active session inside the product, click on a page that contains this malicious HTML triggering to perform changes unconsciously. This issue affects Web Site Management Server: 16.7.0, 16.7.1.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://support.opentext.com/csm/en?id=ot_kb_unauthenticated&sysparm_article=KB0854846	Vendor Advisory
https://github.com/MarioTesoro/vulnerability-research/blob/main/CVE-2025-13671/README.md	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:opentext:web_site_management_server:16.7.0:::::::*
	cpe:2.3:a:opentext:web_site_management_server:16.7.1:::::::*

History

No history.

Information

Published : 2026-02-19 23:16

Updated : 2026-02-27 23:56

NVD link : CVE-2025-13671

Mitre link : CVE-2025-13671

CVE.ORG link : CVE-2025-13671

JSON object : View

Products Affected

opentext

web_site_management_server

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2025-13671", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security@opentext.com", "cvssData": {"Safety": "PRESENT", "version": "4.0", "Recovery": "USER", "baseScore": 5.9, "Automatable": "NO", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:N/R:U/V:D/RE:H/U:Red", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "RED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "HIGH", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-19T23:16:14.853", "references": [{"url": "https://support.opentext.com/csm/en?id=ot_kb_unauthenticated&sysparm_article=KB0854846", "tags": ["Vendor Advisory"], "source": "security@opentext.com"}, {"url": "https://github.com/MarioTesoro/vulnerability-research/blob/main/CVE-2025-13671/README.md", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@opentext.com", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in OpenText\u2122 Web Site Management Server allows Cross Site Request Forgery. The vulnerability could\u00a0make a user, with active session inside the product, click on a page that contains this malicious HTML triggering to perform changes unconsciously.\n\nThis issue affects Web Site Management Server: 16.7.0, 16.7.1."}, {"lang": "es", "value": "Vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en OpenText\u2122 Web Site Management Server permite la falsificaci\u00f3n de petici\u00f3n en sitios cruzados. La vulnerabilidad podr\u00eda hacer que un usuario, con sesi\u00f3n activa dentro del producto, haga clic en una p\u00e1gina que contiene este HTML malicioso, desencadenando la realizaci\u00f3n de cambios inconscientemente.\n\nEste problema afecta a Web Site Management Server: 16.7.0, 16.7.1."}], "lastModified": "2026-02-27T23:56:23.997", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:opentext:web_site_management_server:16.7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E000A1B5-35A3-4D7C-9F19-F25445CCBF7D"}, {"criteria": "cpe:2.3:a:opentext:web_site_management_server:16.7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4A7FFB19-6DF1-433A-9304-F483CEAE2646"}], "operator": "OR"}]}], "sourceIdentifier": "security@opentext.com"}