Skip to main content

Opal CVE-2025-27792

Cross-Site Request Forgery (CSRF) (CWE-352)
2025-03-11 security-advisories@github.com

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 19:52 vuln.today
CVE Published
Mar 11, 2025 - 22:15 nvd
N/A

DescriptionCVE.org

Opal is OBiBa’s core database application for biobanks or epidemiological studies. Prior to version 5.1.1, the protections against cross-site request forgery (CSRF) were insufficient application-wide. The referrer header is checked, and if it is invalid, the server returns 403. However, the referrer header can be dropped from CSRF requests using <meta name="referrer" content="never">, effectively bypassing this protection. Version 5.1.1 contains a patch for the issue.

AnalysisAI

Opal is OBiBa’s core database application for biobanks or epidemiological studies. Prior to version 5.1.1, the protections against cross-site request forgery (CSRF) were insufficient application-wide. The referrer header is checked, and if it is invalid, the server returns 403. However, the referrer header can be dropped from CSRF requests using <meta name="referrer" content="never">, effecti...

Technical ContextAI

This vulnerability (CWE-352: Cross-Site Request Forgery (CSRF)) affects s core database application for biobanks or epidemiological studies.. Opal is OBiBa’s core database application for biobanks or epidemiological studies. Prior to version 5.1.1, the protections against cross-site request forgery (CSRF) were insufficient application-wide. The referrer header is checked, and if it is invalid, the server returns 403. However, the referrer header can be dropped from CSRF requests using <meta name="referrer" content="never">, effectively bypassing this protection. Version 5.1.1 contains a patch for the issue.

Affected ProductsAI

Product: s core database application for biobanks or epidemiological studies.. Versions: up to 5.1.1.

RemediationAI

Monitor vendor advisories for a patch.

Share

CVE-2025-27792 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy