CVE-2025-13808 MEDIUM

CVE-2025-13808: orionsec orion-ops User Profile UserController.java update improper authorization

Vendor Orionsec

Product orion-ops

Weakness CWE-285

Published December 1, 2025

Last update December 1, 2025

View on NVD All CVEs

CVSS base score

6.9/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

Description

A flaw has been found in orionsec orion-ops up to 5925824997a3109651bbde07460958a7be249ed1. Affected by this vulnerability is the function update of the file orion-ops-api/orion-ops-web/src/main/java/cn/orionsec/ops/controller/UserController.java of the component User Profile Handler. This manipulation of the argument ID causes improper authorization. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

Disclosure timeline

December 1, 2025 CVE published

December 1, 2025 Record updated

Identifiers

CVE CVE-2025-13808

CWE CWE-285

CVSS 6.9 / MEDIUM

Affected versions

Vendor Orionsec

Product orion-ops

Affected 5925824997a3109651bbde07460958a7be249ed1