CVE-2025-13671

MEDIUM

OpenText Web Site Management Server 16.7.0-16.7.1 - CSRF

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-13671. PoCs published by MarioTesoro.

AI-analyzed exploit summary The repository provides a functional HTML-based PoC for CVE-2025-13671, a CSRF vulnerability in OpenText Web Site Management Server. The exploit demonstrates how an attacker can trick an authenticated admin into changing their password via a crafted POST request.

Description

Cross-Site Request Forgery (CSRF) vulnerability in OpenText™ Web Site Management Server allows Cross Site Request Forgery. The vulnerability could make a user, with active session inside the product, click on a page that contains this malicious HTML triggering to perform changes unconsciously. This issue affects Web Site Management Server: 16.7.0, 16.7.1.

Exploits (1)

github WORKING POC
by MarioTesoro · poc
https://github.com/MarioTesoro/vulnerability-research/tree/main/CVE-2025-13671

The repository provides a functional HTML-based PoC for CVE-2025-13671, a CSRF vulnerability in OpenText Web Site Management Server. The exploit demonstrates how an attacker can trick an authenticated admin into changing their password via a crafted POST request.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: OpenText Web Site Management Server 16.7.0, 16.7.1
Auth required
Prerequisites: Admin user with active session in OpenText Web Site Management Server · Victim interaction (clicking a malicious link)
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 6.5
EPSS 0.0015
EPSS Percentile 4.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-352
Status published
Products (2)
opentext/web_site_management_server 16.7.0
opentext/web_site_management_server 16.7.1
Published Feb 19, 2026
Tracked Since Feb 20, 2026