Search criteria
27 vulnerabilities found for Opinio by Objectplanet
FKIE_CVE-2025-13873
Vulnerability from fkie_nvd - Published: 2025-12-02 10:16 - Updated: 2025-12-04 17:49
Severity ?
Summary
Stored Cross-Site Scripting (XSS) in the survey-import feature of ObjectPlanet Opinio 7.26 rev12562 on web application allows an attacker to inject arbitrary JavaScript code, which executes in the browsing context of any visitor accessing the compromised survey.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| objectplanet | opinio | 7.26 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:objectplanet:opinio:7.26:*:*:*:*:*:*:*",
"matchCriteriaId": "6684DC3A-4DF1-4417-913C-EE8E169B75B5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Stored Cross-Site Scripting (XSS) in the survey-import feature of ObjectPlanet\u00a0Opinio\u00a07.26 rev12562 on web application allows an attacker to inject arbitrary JavaScript code, which executes in the browsing context of any visitor accessing the compromised survey."
}
],
"id": "CVE-2025-13873",
"lastModified": "2025-12-04T17:49:40.143",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"type": "Secondary"
}
]
},
"published": "2025-12-02T10:16:02.073",
"references": [
{
"source": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"tags": [
"Release Notes"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"sourceIdentifier": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-13871
Vulnerability from fkie_nvd - Published: 2025-12-02 10:16 - Updated: 2025-12-04 17:54
Severity ?
Summary
Cross-Site Request Forgery (CSRF) in the resource-management feature of
ObjectPlanet Opinio 7.26 rev12562
allows to upload
files on behalf of the connected users and then access such files without authentication.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| objectplanet | opinio | 7.26 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:objectplanet:opinio:7.26:*:*:*:*:*:*:*",
"matchCriteriaId": "6684DC3A-4DF1-4417-913C-EE8E169B75B5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-Site Request Forgery (CSRF) in the resource-management feature of \n\nObjectPlanet Opinio 7.26 rev12562\n\n allows\u00a0to upload \nfiles on behalf of the connected users and then access such files without authentication."
}
],
"id": "CVE-2025-13871",
"lastModified": "2025-12-04T17:54:28.767",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 2.3,
"baseSeverity": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"type": "Secondary"
}
]
},
"published": "2025-12-02T10:16:01.687",
"references": [
{
"source": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"tags": [
"Release Notes"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"sourceIdentifier": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-13872
Vulnerability from fkie_nvd - Published: 2025-12-02 10:16 - Updated: 2025-12-04 17:52
Severity ?
Summary
Blind Server-Side Request Forgery (SSRF) in the survey-import feature of
ObjectPlanet Opinio 7.26 rev12562 on
Web-based platforms allows an attacker to force the server to perform HTTP GET requests via crafted import requests
to an arbitrary destination.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| objectplanet | opinio | 7.26 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:objectplanet:opinio:7.26:*:*:*:*:*:*:*",
"matchCriteriaId": "6684DC3A-4DF1-4417-913C-EE8E169B75B5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Blind Server-Side Request Forgery (SSRF) in the survey-import feature of \n\n ObjectPlanet\u00a0Opinio\u00a07.26 rev12562\u00a0on \n\nWeb-based platforms allows an attacker to force the server to perform HTTP GET requests via crafted import requests \n\n to an arbitrary destination."
}
],
"id": "CVE-2025-13872",
"lastModified": "2025-12-04T17:52:30.360",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 2.1,
"baseSeverity": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"type": "Secondary"
}
]
},
"published": "2025-12-02T10:16:01.877",
"references": [
{
"source": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"tags": [
"Release Notes"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"sourceIdentifier": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-4472
Vulnerability from fkie_nvd - Published: 2024-02-01 22:15 - Updated: 2025-06-11 17:15
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Objectplanet Opinio version 7.22 and prior uses a cryptographically weak pseudo-random number generator (PRNG) coupled to a predictable seed, which could lead to an unauthenticated account takeover of any user on the application.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| objectplanet | opinio | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:objectplanet:opinio:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2A09C2A9-4E46-4B49-AC57-DEFD7E693093",
"versionEndExcluding": "7.23",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Objectplanet Opinio version 7.22 and prior uses a cryptographically weak pseudo-random number generator (PRNG) coupled to a predictable seed, which could lead to an unauthenticated account takeover of any user on the application."
},
{
"lang": "es",
"value": "Objectplanet Opinio versi\u00f3n 7.22 y anteriores utiliza un generador de n\u00fameros pseudoaleatorios (PRNG) criptogr\u00e1ficamente d\u00e9bil acoplado a una semilla predecible, lo que podr\u00eda conducir a una apropiaci\u00f3n no autenticada de la cuenta de cualquier usuario de la aplicaci\u00f3n."
}
],
"id": "CVE-2023-4472",
"lastModified": "2025-06-11T17:15:35.480",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-02-01T22:15:55.220",
"references": [
{
"source": "mandiant-cve@google.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2024/MNDT-2024-0002.md"
},
{
"source": "mandiant-cve@google.com",
"tags": [
"Release Notes"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2024/MNDT-2024-0002.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"sourceIdentifier": "mandiant-cve@google.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-335"
}
],
"source": "mandiant-cve@google.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-335"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-26565
Vulnerability from fkie_nvd - Published: 2021-07-31 17:15 - Updated: 2024-11-21 05:20
Severity ?
Summary
ObjectPlanet Opinio before 7.14 allows Expression Language Injection via the admin/permissionList.do from parameter. This can be used to retrieve possibly sensitive serverInfo data.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://packetstormsecurity.com/files/163708/ObjectPlanet-Opinio-7.13-Expression-Language-Injection.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://www.objectplanet.com/opinio/changelog.html | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://packetstormsecurity.com/files/163708/ObjectPlanet-Opinio-7.13-Expression-Language-Injection.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.objectplanet.com/opinio/changelog.html | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| objectplanet | opinio | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:objectplanet:opinio:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AB50FA7F-D1BB-4D1E-9184-5A47A607FE54",
"versionEndExcluding": "7.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ObjectPlanet Opinio before 7.14 allows Expression Language Injection via the admin/permissionList.do from parameter. This can be used to retrieve possibly sensitive serverInfo data."
},
{
"lang": "es",
"value": "ObjectPlanet Opinio versiones anteriores a 7.14, permite una Inyecci\u00f3n de Lenguaje de Expresi\u00f3n por medio del par\u00e1metro admin/permissionList.do from. Esto puede ser usado para recuperar datos serverInfo posiblemente confidenciales"
}
],
"id": "CVE-2020-26565",
"lastModified": "2024-11-21T05:20:05.643",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-31T17:15:07.883",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/163708/ObjectPlanet-Opinio-7.13-Expression-Language-Injection.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/163708/ObjectPlanet-Opinio-7.13-Expression-Language-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-917"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-26564
Vulnerability from fkie_nvd - Published: 2021-07-31 17:15 - Updated: 2024-11-21 05:20
Severity ?
Summary
ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have <!ENTITY content, create a .xml file for a generic survey template (containing a link to this .css file), and import this .xml file at the survey/admin/folderSurvey.do?action=viewImportSurvey['importFile'] URI. The XXE can then be triggered at a admin/preview.do?action=previewSurvey&surveyId= URI.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://packetstormsecurity.com/files/163707/ObjectPlanet-Opinio-7.13-7.14-XML-Injection.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://www.objectplanet.com/opinio/changelog.html | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://packetstormsecurity.com/files/163707/ObjectPlanet-Opinio-7.13-7.14-XML-Injection.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.objectplanet.com/opinio/changelog.html | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| objectplanet | opinio | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:objectplanet:opinio:*:*:*:*:*:*:*:*",
"matchCriteriaId": "785F075F-FA8B-4CCC-B3DD-89C29C436F89",
"versionEndExcluding": "7.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have \u003c!ENTITY content, create a .xml file for a generic survey template (containing a link to this .css file), and import this .xml file at the survey/admin/folderSurvey.do?action=viewImportSurvey[\u0027importFile\u0027] URI. The XXE can then be triggered at a admin/preview.do?action=previewSurvey\u0026surveyId= URI."
},
{
"lang": "es",
"value": "ObjectPlanet Opinio versiones anteriores a 7.15, permite realizar ataques de tipo XXE por medio de tres pasos: modificar un archivo .css para que tenga contenido (! ENTITY, crear un archivo .xml para una plantilla de encuesta gen\u00e9rica (conteniendo un enlace a este archivo .css) e importar este archivo .xml en el URI survey/admin/folderSurvey.do?action=viewImportSurvey[\"importFile\u0027]. El ataque de tipo XXE puede ser desencadenado en el URI admin/preview.do?action=previewSurvey\u0026amp;surveyId="
}
],
"id": "CVE-2020-26564",
"lastModified": "2024-11-21T05:20:05.503",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-31T17:15:07.783",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/163707/ObjectPlanet-Opinio-7.13-7.14-XML-Injection.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/163707/ObjectPlanet-Opinio-7.13-7.14-XML-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-26806
Vulnerability from fkie_nvd - Published: 2021-07-31 17:15 - Updated: 2024-11-21 05:20
Severity ?
Summary
admin/file.do in ObjectPlanet Opinio before 7.15 allows Unrestricted File Upload of executable JSP files, resulting in remote code execution, because filePath can have directory traversal and fileContent can be valid JSP code.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://packetstormsecurity.com/files/163709/ObjectPlanet-Opinio-7.13-Shell-Upload.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://www.objectplanet.com/opinio/changelog.html | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://packetstormsecurity.com/files/163709/ObjectPlanet-Opinio-7.13-Shell-Upload.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.objectplanet.com/opinio/changelog.html | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| objectplanet | opinio | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:objectplanet:opinio:*:*:*:*:*:*:*:*",
"matchCriteriaId": "785F075F-FA8B-4CCC-B3DD-89C29C436F89",
"versionEndExcluding": "7.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "admin/file.do in ObjectPlanet Opinio before 7.15 allows Unrestricted File Upload of executable JSP files, resulting in remote code execution, because filePath can have directory traversal and fileContent can be valid JSP code."
},
{
"lang": "es",
"value": "El archivo admin/file.do en ObjectPlanet Opinio versiones anteriores a 7.15, permite una carga de Archivos no Restringidos de archivos JSP ejecutables, resultando en una ejecuci\u00f3n de c\u00f3digo remota, porque filePath puede tener un salto de directorio y fileContent puede ser c\u00f3digo JSP v\u00e1lido"
}
],
"id": "CVE-2020-26806",
"lastModified": "2024-11-21T05:20:19.077",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-31T17:15:07.913",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/163709/ObjectPlanet-Opinio-7.13-Shell-Upload.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/163709/ObjectPlanet-Opinio-7.13-Shell-Upload.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-26563
Vulnerability from fkie_nvd - Published: 2021-07-30 15:15 - Updated: 2024-11-21 05:20
Severity ?
Summary
ObjectPlanet Opinio before 7.14 allows reflected XSS via the survey/admin/surveyAdmin.do?action=viewSurveyAdmin query string. (There is also stored XSS if input to survey/admin/*.do is accepted from untrusted users.)
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://packetstormsecurity.com/files/163699/ObjectPlanet-Opinio-7.12-Cross-Site-Scripting.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://www.objectplanet.com/opinio/changelog.html | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://packetstormsecurity.com/files/163699/ObjectPlanet-Opinio-7.12-Cross-Site-Scripting.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.objectplanet.com/opinio/changelog.html | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| objectplanet | opinio | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:objectplanet:opinio:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EC11C442-3BE8-437B-A6E9-6A08E2F0F6E8",
"versionEndExcluding": "7.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ObjectPlanet Opinio before 7.14 allows reflected XSS via the survey/admin/surveyAdmin.do?action=viewSurveyAdmin query string. (There is also stored XSS if input to survey/admin/*.do is accepted from untrusted users.)"
},
{
"lang": "es",
"value": "ObjectPlanet Opinio versiones anteriores a 7.14, permite un ataque de tipo XSS reflejado por medio de la cadena de consulta survey/admin/surveyAdmin.do?action=viewSurveyAdmin. (Tambi\u00e9n se presenta una vulnerabilidad de tipo XSS almacenado si la entrada a survey/admin/*.do es aceptada por usuarios no confiables)"
}
],
"id": "CVE-2020-26563",
"lastModified": "2024-11-21T05:20:05.350",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-30T15:15:08.647",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/163699/ObjectPlanet-Opinio-7.12-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/163699/ObjectPlanet-Opinio-7.12-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2017-10798
Vulnerability from fkie_nvd - Published: 2017-07-03 03:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
In ObjectPlanet Opinio before 7.6.4, there is XSS.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://www.objectplanet.com/opinio/changelog.html | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.objectplanet.com/opinio/changelog.html | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| objectplanet | opinio | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:objectplanet:opinio:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BC57A53E-E5D7-41BC-A75C-6BB5E039DA8E",
"versionEndIncluding": "7.6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In ObjectPlanet Opinio before 7.6.4, there is XSS."
},
{
"lang": "es",
"value": "Hay Cross-Site Scripting (XSS) en ObjectPlanet Opinio en versiones anteriores a la 7.6.4."
}
],
"id": "CVE-2017-10798",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-07-03T03:29:00.160",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "http://www.objectplanet.com/opinio/changelog.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "http://www.objectplanet.com/opinio/changelog.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2025-13873 (GCVE-0-2025-13873)
Vulnerability from nvd – Published: 2025-12-02 09:56 – Updated: 2025-12-02 16:54
VLAI?
Summary
Stored Cross-Site Scripting (XSS) in the survey-import feature of ObjectPlanet Opinio 7.26 rev12562 on web application allows an attacker to inject arbitrary JavaScript code, which executes in the browsing context of any visitor accessing the compromised survey.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ObjectPlanet | Opinio |
Affected:
7.26 rev12562
|
Credits
Dominique Righetto
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13873",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-02T16:50:32.048997Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T16:54:53.196Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"The feature to import a survey"
],
"product": "Opinio",
"vendor": "ObjectPlanet",
"versions": [
{
"status": "affected",
"version": "7.26 rev12562"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:objectplanet:opinio:7.26_rev12562:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dominique Righetto"
}
],
"datePublic": "2025-07-31T08:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored Cross-Site Scripting (XSS) in the survey-import feature of \u003cem\u003e\u003c/em\u003eObjectPlanet\u0026nbsp;Opinio\u0026nbsp;7.26 rev12562 on web application allows an attacker to inject arbitrary JavaScript code, which executes in the browsing context of any visitor accessing the compromised survey.\n\n\n\n\n\n\u003cbr\u003e"
}
],
"value": "Stored Cross-Site Scripting (XSS) in the survey-import feature of ObjectPlanet\u00a0Opinio\u00a07.26 rev12562 on web application allows an attacker to inject arbitrary JavaScript code, which executes in the browsing context of any visitor accessing the compromised survey."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T09:56:16.762Z",
"orgId": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"shortName": "TCS-CERT"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2024-12-01T09:10:00.000Z",
"value": "Vulnerability discovery"
},
{
"lang": "en",
"time": "2024-12-10T14:22:00.000Z",
"value": "Vulnerability Report to TCS-CERT"
},
{
"lang": "en",
"time": "2024-12-19T15:33:00.000Z",
"value": "Vulnerability Report to Vendor through email : opinio@support.objectplanet.com"
},
{
"lang": "en",
"time": "2024-12-24T15:34:00.000Z",
"value": "Feedback asked to vendor, check if the vendor received the PoC in an encrypted archive"
},
{
"lang": "en",
"time": "2025-01-10T15:32:00.000Z",
"value": "New follow-up email was send to the vendor"
},
{
"lang": "en",
"time": "2025-01-13T15:37:00.000Z",
"value": "Vendor confirmed the reception of the PoC, vendor asked to wait 90-day period before publishing (responsible disclosure), and will try to fix the vulnerability"
},
{
"lang": "en",
"time": "2025-01-14T15:37:00.000Z",
"value": "Answer to vendor to acknowledge 90 days period"
},
{
"lang": "en",
"time": "2025-03-10T15:38:00.000Z",
"value": "Vendor informed us that they will realse the fix by the end of this month"
},
{
"lang": "en",
"time": "2025-04-23T14:39:00.000Z",
"value": "An email was sent to check where they stand on the release and fixes for the reported issues"
},
{
"lang": "en",
"time": "2025-06-21T14:39:00.000Z",
"value": "A feedback was requested from vendor regarding their progreess"
},
{
"lang": "en",
"time": "2025-06-30T14:39:00.000Z",
"value": "A feedback was requested from vendor regarding their progreess"
},
{
"lang": "en",
"time": "2025-07-31T14:39:00.000Z",
"value": "The vendor released the newer fixed version which is the Opinio Version 7.27"
}
],
"title": "The feature to import a survey is prone to stored Cross-Site Script attacks",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"assignerShortName": "TCS-CERT",
"cveId": "CVE-2025-13873",
"datePublished": "2025-12-02T09:56:16.762Z",
"dateReserved": "2025-12-02T09:17:07.251Z",
"dateUpdated": "2025-12-02T16:54:53.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13872 (GCVE-0-2025-13872)
Vulnerability from nvd – Published: 2025-12-02 09:51 – Updated: 2025-12-02 16:55
VLAI?
Summary
Blind Server-Side Request Forgery (SSRF) in the survey-import feature of
ObjectPlanet Opinio 7.26 rev12562 on
Web-based platforms allows an attacker to force the server to perform HTTP GET requests via crafted import requests
to an arbitrary destination.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ObjectPlanet | Opinio |
Affected:
7.26 rev12562
|
Credits
Dominique Righetto
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13872",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-02T16:50:34.265761Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T16:55:02.348Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"The feature to import a survey"
],
"product": "Opinio",
"vendor": "ObjectPlanet",
"versions": [
{
"status": "affected",
"version": "7.26 rev12562"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:objectplanet:opinio:7.26_rev12562:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dominique Righetto"
}
],
"datePublic": "2025-07-31T08:54:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cbr\u003e\n\n\n\nBlind Server-Side Request Forgery (SSRF) in the survey-import feature of \n\n \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eObjectPlanet\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOpinio\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;7.26 rev12562\u003c/span\u003e\u0026nbsp;on \u003cem\u003e\u003c/em\u003e\n\nWeb-based platforms allows an attacker to force the server to perform HTTP GET requests via crafted import requests \n\n to an arbitrary destination.\n\n\n\n\u003cbr\u003e"
}
],
"value": "Blind Server-Side Request Forgery (SSRF) in the survey-import feature of \n\n ObjectPlanet\u00a0Opinio\u00a07.26 rev12562\u00a0on \n\nWeb-based platforms allows an attacker to force the server to perform HTTP GET requests via crafted import requests \n\n to an arbitrary destination."
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T09:51:59.865Z",
"orgId": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"shortName": "TCS-CERT"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2024-12-01T09:10:00.000Z",
"value": "Vulnerability discovery"
},
{
"lang": "en",
"time": "2024-12-10T14:22:00.000Z",
"value": "Vulnerability Report to TCS-CERT"
},
{
"lang": "en",
"time": "2024-12-19T15:33:00.000Z",
"value": "Vulnerability Report to Vendor through email : opinio@support.objectplanet.com"
},
{
"lang": "en",
"time": "2024-12-24T15:34:00.000Z",
"value": "Feedback asked to vendor, check if the vendor received the PoC in an encrypted archive"
},
{
"lang": "en",
"time": "2025-01-10T15:32:00.000Z",
"value": "New follow-up email was send to the vendor"
},
{
"lang": "en",
"time": "2025-01-13T15:37:00.000Z",
"value": "Vendor confirmed the reception of the PoC, vendor asked to wait 90-day period before publishing (responsible disclosure), and will try to fix the vulnerability"
},
{
"lang": "en",
"time": "2025-01-14T15:37:00.000Z",
"value": "Answer to vendor to acknowledge 90 days period"
},
{
"lang": "en",
"time": "2025-03-10T15:38:00.000Z",
"value": "Vendor informed us that they will realse the fix by the end of this month"
},
{
"lang": "en",
"time": "2025-04-23T14:39:00.000Z",
"value": "An email was sent to check where they stand on the release and fixes for the reported issues"
},
{
"lang": "en",
"time": "2025-06-21T14:39:00.000Z",
"value": "A feedback was requested from vendor regarding their progreess"
},
{
"lang": "en",
"time": "2025-06-30T14:39:00.000Z",
"value": "A feedback was requested from vendor regarding their progreess"
},
{
"lang": "en",
"time": "2025-07-31T14:39:00.000Z",
"value": "The vendor released the newer fixed version which is the Opinio Version 7.27"
}
],
"title": "Blind Server-Side Request Forgery (SSRF) in the survey-import feature of ObjectPlanet\u00a0Opinio",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"assignerShortName": "TCS-CERT",
"cveId": "CVE-2025-13872",
"datePublished": "2025-12-02T09:51:59.865Z",
"dateReserved": "2025-12-02T09:17:04.605Z",
"dateUpdated": "2025-12-02T16:55:02.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13871 (GCVE-0-2025-13871)
Vulnerability from nvd – Published: 2025-12-02 09:42 – Updated: 2025-12-02 16:55
VLAI?
Summary
Cross-Site Request Forgery (CSRF) in the resource-management feature of
ObjectPlanet Opinio 7.26 rev12562
allows to upload
files on behalf of the connected users and then access such files without authentication.
Severity ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ObjectPlanet | Opinio |
Affected:
7.26 rev12562
|
Credits
Dominique Righetto
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13871",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-02T16:50:36.706557Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T16:55:09.792Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Opinio",
"vendor": "ObjectPlanet",
"versions": [
{
"status": "affected",
"version": "7.26 rev12562"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dominique Righetto"
}
],
"datePublic": "2025-07-31T08:31:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cbr\u003e\n\nCross-Site Request Forgery (CSRF) in the resource-management feature of \u003cem\u003e\u003c/em\u003e\n\n\u003cb\u003eObjectPlanet Opinio 7.26 rev12562\u003c/b\u003e\n\n\u003cem\u003e\u003c/em\u003e allows\u0026nbsp;to upload \nfiles on behalf of the connected users and then access such files without authentication.\n\n\u003cbr\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) in the resource-management feature of \n\nObjectPlanet Opinio 7.26 rev12562\n\n allows\u00a0to upload \nfiles on behalf of the connected users and then access such files without authentication."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T09:42:51.187Z",
"orgId": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"shortName": "TCS-CERT"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2024-12-01T09:10:00.000Z",
"value": "Vulnerability discovery"
},
{
"lang": "en",
"time": "2024-12-10T14:22:00.000Z",
"value": "Vulnerability Report to TCS-CERT"
},
{
"lang": "en",
"time": "2024-12-19T15:33:00.000Z",
"value": "Vulnerability Report to Vendor through email : opinio@support.objectplanet.com"
},
{
"lang": "en",
"time": "2024-12-24T15:34:00.000Z",
"value": "Feedback asked to vendor, check if the vendor received the PoC in an encrypted archive"
},
{
"lang": "en",
"time": "2025-01-10T15:32:00.000Z",
"value": "New follow-up email was send to the vendor"
},
{
"lang": "en",
"time": "2025-01-13T15:37:00.000Z",
"value": "Vendor confirmed the reception of the PoC, vendor asked to wait 90-day period before publishing (responsible disclosure), and will try to fix the vulnerability"
},
{
"lang": "en",
"time": "2025-01-14T15:37:00.000Z",
"value": "Answer to vendor to acknowledge 90 days period"
},
{
"lang": "en",
"time": "2025-03-10T15:38:00.000Z",
"value": "Vendor informed us that they will realse the fix by the end of this month"
},
{
"lang": "en",
"time": "2025-04-23T14:39:00.000Z",
"value": "An email was sent to check where they stand on the release and fixes for the reported issues"
},
{
"lang": "en",
"time": "2025-06-21T14:39:00.000Z",
"value": "A feedback was requested from vendor regarding their progreess"
},
{
"lang": "en",
"time": "2025-06-30T14:39:00.000Z",
"value": "A feedback was requested from vendor regarding their progreess"
},
{
"lang": "en",
"time": "2025-07-31T14:39:00.000Z",
"value": "The vendor released the newer fixed version which is the Opinio Version 7.27"
}
],
"title": "The feature to manage resources is prone to Cross-Site Request Forgery attacks",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"assignerShortName": "TCS-CERT",
"cveId": "CVE-2025-13871",
"datePublished": "2025-12-02T09:42:51.187Z",
"dateReserved": "2025-12-02T09:16:58.809Z",
"dateUpdated": "2025-12-02T16:55:09.792Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-4472 (GCVE-0-2023-4472)
Vulnerability from nvd – Published: 2024-02-01 22:11 – Updated: 2025-06-11 16:45
VLAI?
Summary
Objectplanet Opinio version 7.22 and prior uses a cryptographically weak pseudo-random number generator (PRNG) coupled to a predictable seed, which could lead to an unauthenticated account takeover of any user on the application.
Severity ?
9.8 (Critical)
CWE
- CWE-335 - Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Objectplanet | Opinio |
Affected:
7.22
Unaffected: 7.23 |
Credits
Amine Ismail, Mandiant
Amine Ismail, Mandiant
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-4472",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T19:37:11.901532Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-11T16:45:41.501Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:31:05.503Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2024/MNDT-2024-0002.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"platforms": [
"All",
"Cloud",
"Browser"
],
"product": "Opinio",
"vendor": "Objectplanet",
"versions": [
{
"status": "affected",
"version": "7.22"
},
{
"status": "unaffected",
"version": "7.23"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Amine Ismail, Mandiant"
},
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Amine Ismail, Mandiant"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Objectplanet Opinio version 7.22 and prior uses a cryptographically weak pseudo-random number generator (PRNG) coupled to a predictable seed, which could lead to an unauthenticated account takeover of any user on the application."
}
],
"value": "Objectplanet Opinio version 7.22 and prior uses a cryptographically weak pseudo-random number generator (PRNG) coupled to a predictable seed, which could lead to an unauthenticated account takeover of any user on the application."
}
],
"impacts": [
{
"capecId": "CAPEC-59",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-59 Session Credential Falsification through Prediction"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-335",
"description": "CWE-335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-01T22:11:21.361Z",
"orgId": "027e81ed-0dd4-4685-ab4d-884aec5bb484",
"shortName": "Mandiant"
},
"references": [
{
"url": "https://www.objectplanet.com/opinio/changelog.html"
},
{
"url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2024/MNDT-2024-0002.md"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2023-08-21T17:00:00.000Z",
"value": "Issue reported to Objectplanet and CVE number assigned."
},
{
"lang": "en",
"time": "2023-08-22T17:00:00.000Z",
"value": "Issue confirmed by Objectplanet and announced that a patch will be released in the next version."
},
{
"lang": "en",
"time": "2023-08-31T17:00:00.000Z",
"value": "Objectplanet released version 7.23. Mandiant delayed vulnerability disclosure to allow Opinio customers time to patch."
}
],
"title": "Cryptographically weak PRNG in Opinio 7.22",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "027e81ed-0dd4-4685-ab4d-884aec5bb484",
"assignerShortName": "Mandiant",
"cveId": "CVE-2023-4472",
"datePublished": "2024-02-01T22:11:21.361Z",
"dateReserved": "2023-08-21T19:42:17.822Z",
"dateUpdated": "2025-06-11T16:45:41.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26565 (GCVE-0-2020-26565)
Vulnerability from nvd – Published: 2021-07-31 16:43 – Updated: 2024-08-04 15:56
VLAI?
Summary
ObjectPlanet Opinio before 7.14 allows Expression Language Injection via the admin/permissionList.do from parameter. This can be used to retrieve possibly sensitive serverInfo data.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:04.882Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/163708/ObjectPlanet-Opinio-7.13-Expression-Language-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ObjectPlanet Opinio before 7.14 allows Expression Language Injection via the admin/permissionList.do from parameter. This can be used to retrieve possibly sensitive serverInfo data."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-31T16:43:53",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/163708/ObjectPlanet-Opinio-7.13-Expression-Language-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-26565",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ObjectPlanet Opinio before 7.14 allows Expression Language Injection via the admin/permissionList.do from parameter. This can be used to retrieve possibly sensitive serverInfo data."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://packetstormsecurity.com/files/163708/ObjectPlanet-Opinio-7.13-Expression-Language-Injection.html",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/163708/ObjectPlanet-Opinio-7.13-Expression-Language-Injection.html"
},
{
"name": "https://www.objectplanet.com/opinio/changelog.html",
"refsource": "CONFIRM",
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-26565",
"datePublished": "2021-07-31T16:43:53",
"dateReserved": "2020-10-05T00:00:00",
"dateUpdated": "2024-08-04T15:56:04.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26564 (GCVE-0-2020-26564)
Vulnerability from nvd – Published: 2021-07-31 16:28 – Updated: 2024-08-04 15:56
VLAI?
Summary
ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have <!ENTITY content, create a .xml file for a generic survey template (containing a link to this .css file), and import this .xml file at the survey/admin/folderSurvey.do?action=viewImportSurvey['importFile'] URI. The XXE can then be triggered at a admin/preview.do?action=previewSurvey&surveyId= URI.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:05.029Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/163707/ObjectPlanet-Opinio-7.13-7.14-XML-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have \u003c!ENTITY content, create a .xml file for a generic survey template (containing a link to this .css file), and import this .xml file at the survey/admin/folderSurvey.do?action=viewImportSurvey[\u0027importFile\u0027] URI. The XXE can then be triggered at a admin/preview.do?action=previewSurvey\u0026surveyId= URI."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-31T16:46:33",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/163707/ObjectPlanet-Opinio-7.13-7.14-XML-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-26564",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have \u003c!ENTITY content, create a .xml file for a generic survey template (containing a link to this .css file), and import this .xml file at the survey/admin/folderSurvey.do?action=viewImportSurvey[\u0027importFile\u0027] URI. The XXE can then be triggered at a admin/preview.do?action=previewSurvey\u0026surveyId= URI."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://packetstormsecurity.com/files/163707/ObjectPlanet-Opinio-7.13-7.14-XML-Injection.html",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/163707/ObjectPlanet-Opinio-7.13-7.14-XML-Injection.html"
},
{
"name": "https://www.objectplanet.com/opinio/changelog.html",
"refsource": "CONFIRM",
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-26564",
"datePublished": "2021-07-31T16:28:05",
"dateReserved": "2020-10-05T00:00:00",
"dateUpdated": "2024-08-04T15:56:05.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26806 (GCVE-0-2020-26806)
Vulnerability from nvd – Published: 2021-07-31 16:13 – Updated: 2024-08-04 16:03
VLAI?
Summary
admin/file.do in ObjectPlanet Opinio before 7.15 allows Unrestricted File Upload of executable JSP files, resulting in remote code execution, because filePath can have directory traversal and fileContent can be valid JSP code.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:03:22.430Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/163709/ObjectPlanet-Opinio-7.13-Shell-Upload.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "admin/file.do in ObjectPlanet Opinio before 7.15 allows Unrestricted File Upload of executable JSP files, resulting in remote code execution, because filePath can have directory traversal and fileContent can be valid JSP code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-31T16:47:48",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/163709/ObjectPlanet-Opinio-7.13-Shell-Upload.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-26806",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "admin/file.do in ObjectPlanet Opinio before 7.15 allows Unrestricted File Upload of executable JSP files, resulting in remote code execution, because filePath can have directory traversal and fileContent can be valid JSP code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://packetstormsecurity.com/files/163709/ObjectPlanet-Opinio-7.13-Shell-Upload.html",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/163709/ObjectPlanet-Opinio-7.13-Shell-Upload.html"
},
{
"name": "https://www.objectplanet.com/opinio/changelog.html",
"refsource": "CONFIRM",
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-26806",
"datePublished": "2021-07-31T16:13:31",
"dateReserved": "2020-10-07T00:00:00",
"dateUpdated": "2024-08-04T16:03:22.430Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26563 (GCVE-0-2020-26563)
Vulnerability from nvd – Published: 2021-07-30 02:52 – Updated: 2024-08-04 15:56
VLAI?
Summary
ObjectPlanet Opinio before 7.14 allows reflected XSS via the survey/admin/surveyAdmin.do?action=viewSurveyAdmin query string. (There is also stored XSS if input to survey/admin/*.do is accepted from untrusted users.)
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:04.618Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/163699/ObjectPlanet-Opinio-7.12-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ObjectPlanet Opinio before 7.14 allows reflected XSS via the survey/admin/surveyAdmin.do?action=viewSurveyAdmin query string. (There is also stored XSS if input to survey/admin/*.do is accepted from untrusted users.)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-31T16:45:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/163699/ObjectPlanet-Opinio-7.12-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-26563",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ObjectPlanet Opinio before 7.14 allows reflected XSS via the survey/admin/surveyAdmin.do?action=viewSurveyAdmin query string. (There is also stored XSS if input to survey/admin/*.do is accepted from untrusted users.)"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://packetstormsecurity.com/files/163699/ObjectPlanet-Opinio-7.12-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/163699/ObjectPlanet-Opinio-7.12-Cross-Site-Scripting.html"
},
{
"name": "https://www.objectplanet.com/opinio/changelog.html",
"refsource": "CONFIRM",
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-26563",
"datePublished": "2021-07-30T02:52:25",
"dateReserved": "2020-10-05T00:00:00",
"dateUpdated": "2024-08-04T15:56:04.618Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-10798 (GCVE-0-2017-10798)
Vulnerability from nvd – Published: 2017-07-03 03:00 – Updated: 2024-08-05 17:50
VLAI?
Summary
In ObjectPlanet Opinio before 7.6.4, there is XSS.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:50:11.625Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.objectplanet.com/opinio/changelog.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-07-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In ObjectPlanet Opinio before 7.6.4, there is XSS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-03T02:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.objectplanet.com/opinio/changelog.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-10798",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In ObjectPlanet Opinio before 7.6.4, there is XSS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.objectplanet.com/opinio/changelog.html",
"refsource": "CONFIRM",
"url": "http://www.objectplanet.com/opinio/changelog.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-10798",
"datePublished": "2017-07-03T03:00:00",
"dateReserved": "2017-07-02T00:00:00",
"dateUpdated": "2024-08-05T17:50:11.625Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-13873 (GCVE-0-2025-13873)
Vulnerability from cvelistv5 – Published: 2025-12-02 09:56 – Updated: 2025-12-02 16:54
VLAI?
Summary
Stored Cross-Site Scripting (XSS) in the survey-import feature of ObjectPlanet Opinio 7.26 rev12562 on web application allows an attacker to inject arbitrary JavaScript code, which executes in the browsing context of any visitor accessing the compromised survey.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ObjectPlanet | Opinio |
Affected:
7.26 rev12562
|
Credits
Dominique Righetto
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13873",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-02T16:50:32.048997Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T16:54:53.196Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"The feature to import a survey"
],
"product": "Opinio",
"vendor": "ObjectPlanet",
"versions": [
{
"status": "affected",
"version": "7.26 rev12562"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:objectplanet:opinio:7.26_rev12562:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dominique Righetto"
}
],
"datePublic": "2025-07-31T08:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored Cross-Site Scripting (XSS) in the survey-import feature of \u003cem\u003e\u003c/em\u003eObjectPlanet\u0026nbsp;Opinio\u0026nbsp;7.26 rev12562 on web application allows an attacker to inject arbitrary JavaScript code, which executes in the browsing context of any visitor accessing the compromised survey.\n\n\n\n\n\n\u003cbr\u003e"
}
],
"value": "Stored Cross-Site Scripting (XSS) in the survey-import feature of ObjectPlanet\u00a0Opinio\u00a07.26 rev12562 on web application allows an attacker to inject arbitrary JavaScript code, which executes in the browsing context of any visitor accessing the compromised survey."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T09:56:16.762Z",
"orgId": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"shortName": "TCS-CERT"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2024-12-01T09:10:00.000Z",
"value": "Vulnerability discovery"
},
{
"lang": "en",
"time": "2024-12-10T14:22:00.000Z",
"value": "Vulnerability Report to TCS-CERT"
},
{
"lang": "en",
"time": "2024-12-19T15:33:00.000Z",
"value": "Vulnerability Report to Vendor through email : opinio@support.objectplanet.com"
},
{
"lang": "en",
"time": "2024-12-24T15:34:00.000Z",
"value": "Feedback asked to vendor, check if the vendor received the PoC in an encrypted archive"
},
{
"lang": "en",
"time": "2025-01-10T15:32:00.000Z",
"value": "New follow-up email was send to the vendor"
},
{
"lang": "en",
"time": "2025-01-13T15:37:00.000Z",
"value": "Vendor confirmed the reception of the PoC, vendor asked to wait 90-day period before publishing (responsible disclosure), and will try to fix the vulnerability"
},
{
"lang": "en",
"time": "2025-01-14T15:37:00.000Z",
"value": "Answer to vendor to acknowledge 90 days period"
},
{
"lang": "en",
"time": "2025-03-10T15:38:00.000Z",
"value": "Vendor informed us that they will realse the fix by the end of this month"
},
{
"lang": "en",
"time": "2025-04-23T14:39:00.000Z",
"value": "An email was sent to check where they stand on the release and fixes for the reported issues"
},
{
"lang": "en",
"time": "2025-06-21T14:39:00.000Z",
"value": "A feedback was requested from vendor regarding their progreess"
},
{
"lang": "en",
"time": "2025-06-30T14:39:00.000Z",
"value": "A feedback was requested from vendor regarding their progreess"
},
{
"lang": "en",
"time": "2025-07-31T14:39:00.000Z",
"value": "The vendor released the newer fixed version which is the Opinio Version 7.27"
}
],
"title": "The feature to import a survey is prone to stored Cross-Site Script attacks",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"assignerShortName": "TCS-CERT",
"cveId": "CVE-2025-13873",
"datePublished": "2025-12-02T09:56:16.762Z",
"dateReserved": "2025-12-02T09:17:07.251Z",
"dateUpdated": "2025-12-02T16:54:53.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13872 (GCVE-0-2025-13872)
Vulnerability from cvelistv5 – Published: 2025-12-02 09:51 – Updated: 2025-12-02 16:55
VLAI?
Summary
Blind Server-Side Request Forgery (SSRF) in the survey-import feature of
ObjectPlanet Opinio 7.26 rev12562 on
Web-based platforms allows an attacker to force the server to perform HTTP GET requests via crafted import requests
to an arbitrary destination.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ObjectPlanet | Opinio |
Affected:
7.26 rev12562
|
Credits
Dominique Righetto
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13872",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-02T16:50:34.265761Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T16:55:02.348Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"The feature to import a survey"
],
"product": "Opinio",
"vendor": "ObjectPlanet",
"versions": [
{
"status": "affected",
"version": "7.26 rev12562"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:objectplanet:opinio:7.26_rev12562:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dominique Righetto"
}
],
"datePublic": "2025-07-31T08:54:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cbr\u003e\n\n\n\nBlind Server-Side Request Forgery (SSRF) in the survey-import feature of \n\n \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eObjectPlanet\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOpinio\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;7.26 rev12562\u003c/span\u003e\u0026nbsp;on \u003cem\u003e\u003c/em\u003e\n\nWeb-based platforms allows an attacker to force the server to perform HTTP GET requests via crafted import requests \n\n to an arbitrary destination.\n\n\n\n\u003cbr\u003e"
}
],
"value": "Blind Server-Side Request Forgery (SSRF) in the survey-import feature of \n\n ObjectPlanet\u00a0Opinio\u00a07.26 rev12562\u00a0on \n\nWeb-based platforms allows an attacker to force the server to perform HTTP GET requests via crafted import requests \n\n to an arbitrary destination."
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T09:51:59.865Z",
"orgId": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"shortName": "TCS-CERT"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2024-12-01T09:10:00.000Z",
"value": "Vulnerability discovery"
},
{
"lang": "en",
"time": "2024-12-10T14:22:00.000Z",
"value": "Vulnerability Report to TCS-CERT"
},
{
"lang": "en",
"time": "2024-12-19T15:33:00.000Z",
"value": "Vulnerability Report to Vendor through email : opinio@support.objectplanet.com"
},
{
"lang": "en",
"time": "2024-12-24T15:34:00.000Z",
"value": "Feedback asked to vendor, check if the vendor received the PoC in an encrypted archive"
},
{
"lang": "en",
"time": "2025-01-10T15:32:00.000Z",
"value": "New follow-up email was send to the vendor"
},
{
"lang": "en",
"time": "2025-01-13T15:37:00.000Z",
"value": "Vendor confirmed the reception of the PoC, vendor asked to wait 90-day period before publishing (responsible disclosure), and will try to fix the vulnerability"
},
{
"lang": "en",
"time": "2025-01-14T15:37:00.000Z",
"value": "Answer to vendor to acknowledge 90 days period"
},
{
"lang": "en",
"time": "2025-03-10T15:38:00.000Z",
"value": "Vendor informed us that they will realse the fix by the end of this month"
},
{
"lang": "en",
"time": "2025-04-23T14:39:00.000Z",
"value": "An email was sent to check where they stand on the release and fixes for the reported issues"
},
{
"lang": "en",
"time": "2025-06-21T14:39:00.000Z",
"value": "A feedback was requested from vendor regarding their progreess"
},
{
"lang": "en",
"time": "2025-06-30T14:39:00.000Z",
"value": "A feedback was requested from vendor regarding their progreess"
},
{
"lang": "en",
"time": "2025-07-31T14:39:00.000Z",
"value": "The vendor released the newer fixed version which is the Opinio Version 7.27"
}
],
"title": "Blind Server-Side Request Forgery (SSRF) in the survey-import feature of ObjectPlanet\u00a0Opinio",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"assignerShortName": "TCS-CERT",
"cveId": "CVE-2025-13872",
"datePublished": "2025-12-02T09:51:59.865Z",
"dateReserved": "2025-12-02T09:17:04.605Z",
"dateUpdated": "2025-12-02T16:55:02.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13871 (GCVE-0-2025-13871)
Vulnerability from cvelistv5 – Published: 2025-12-02 09:42 – Updated: 2025-12-02 16:55
VLAI?
Summary
Cross-Site Request Forgery (CSRF) in the resource-management feature of
ObjectPlanet Opinio 7.26 rev12562
allows to upload
files on behalf of the connected users and then access such files without authentication.
Severity ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ObjectPlanet | Opinio |
Affected:
7.26 rev12562
|
Credits
Dominique Righetto
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13871",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-02T16:50:36.706557Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T16:55:09.792Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Opinio",
"vendor": "ObjectPlanet",
"versions": [
{
"status": "affected",
"version": "7.26 rev12562"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dominique Righetto"
}
],
"datePublic": "2025-07-31T08:31:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cbr\u003e\n\nCross-Site Request Forgery (CSRF) in the resource-management feature of \u003cem\u003e\u003c/em\u003e\n\n\u003cb\u003eObjectPlanet Opinio 7.26 rev12562\u003c/b\u003e\n\n\u003cem\u003e\u003c/em\u003e allows\u0026nbsp;to upload \nfiles on behalf of the connected users and then access such files without authentication.\n\n\u003cbr\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) in the resource-management feature of \n\nObjectPlanet Opinio 7.26 rev12562\n\n allows\u00a0to upload \nfiles on behalf of the connected users and then access such files without authentication."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T09:42:51.187Z",
"orgId": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"shortName": "TCS-CERT"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2024-12-01T09:10:00.000Z",
"value": "Vulnerability discovery"
},
{
"lang": "en",
"time": "2024-12-10T14:22:00.000Z",
"value": "Vulnerability Report to TCS-CERT"
},
{
"lang": "en",
"time": "2024-12-19T15:33:00.000Z",
"value": "Vulnerability Report to Vendor through email : opinio@support.objectplanet.com"
},
{
"lang": "en",
"time": "2024-12-24T15:34:00.000Z",
"value": "Feedback asked to vendor, check if the vendor received the PoC in an encrypted archive"
},
{
"lang": "en",
"time": "2025-01-10T15:32:00.000Z",
"value": "New follow-up email was send to the vendor"
},
{
"lang": "en",
"time": "2025-01-13T15:37:00.000Z",
"value": "Vendor confirmed the reception of the PoC, vendor asked to wait 90-day period before publishing (responsible disclosure), and will try to fix the vulnerability"
},
{
"lang": "en",
"time": "2025-01-14T15:37:00.000Z",
"value": "Answer to vendor to acknowledge 90 days period"
},
{
"lang": "en",
"time": "2025-03-10T15:38:00.000Z",
"value": "Vendor informed us that they will realse the fix by the end of this month"
},
{
"lang": "en",
"time": "2025-04-23T14:39:00.000Z",
"value": "An email was sent to check where they stand on the release and fixes for the reported issues"
},
{
"lang": "en",
"time": "2025-06-21T14:39:00.000Z",
"value": "A feedback was requested from vendor regarding their progreess"
},
{
"lang": "en",
"time": "2025-06-30T14:39:00.000Z",
"value": "A feedback was requested from vendor regarding their progreess"
},
{
"lang": "en",
"time": "2025-07-31T14:39:00.000Z",
"value": "The vendor released the newer fixed version which is the Opinio Version 7.27"
}
],
"title": "The feature to manage resources is prone to Cross-Site Request Forgery attacks",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"assignerShortName": "TCS-CERT",
"cveId": "CVE-2025-13871",
"datePublished": "2025-12-02T09:42:51.187Z",
"dateReserved": "2025-12-02T09:16:58.809Z",
"dateUpdated": "2025-12-02T16:55:09.792Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-4472 (GCVE-0-2023-4472)
Vulnerability from cvelistv5 – Published: 2024-02-01 22:11 – Updated: 2025-06-11 16:45
VLAI?
Summary
Objectplanet Opinio version 7.22 and prior uses a cryptographically weak pseudo-random number generator (PRNG) coupled to a predictable seed, which could lead to an unauthenticated account takeover of any user on the application.
Severity ?
9.8 (Critical)
CWE
- CWE-335 - Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Objectplanet | Opinio |
Affected:
7.22
Unaffected: 7.23 |
Credits
Amine Ismail, Mandiant
Amine Ismail, Mandiant
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-4472",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T19:37:11.901532Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-11T16:45:41.501Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:31:05.503Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2024/MNDT-2024-0002.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"platforms": [
"All",
"Cloud",
"Browser"
],
"product": "Opinio",
"vendor": "Objectplanet",
"versions": [
{
"status": "affected",
"version": "7.22"
},
{
"status": "unaffected",
"version": "7.23"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Amine Ismail, Mandiant"
},
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Amine Ismail, Mandiant"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Objectplanet Opinio version 7.22 and prior uses a cryptographically weak pseudo-random number generator (PRNG) coupled to a predictable seed, which could lead to an unauthenticated account takeover of any user on the application."
}
],
"value": "Objectplanet Opinio version 7.22 and prior uses a cryptographically weak pseudo-random number generator (PRNG) coupled to a predictable seed, which could lead to an unauthenticated account takeover of any user on the application."
}
],
"impacts": [
{
"capecId": "CAPEC-59",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-59 Session Credential Falsification through Prediction"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-335",
"description": "CWE-335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-01T22:11:21.361Z",
"orgId": "027e81ed-0dd4-4685-ab4d-884aec5bb484",
"shortName": "Mandiant"
},
"references": [
{
"url": "https://www.objectplanet.com/opinio/changelog.html"
},
{
"url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2024/MNDT-2024-0002.md"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2023-08-21T17:00:00.000Z",
"value": "Issue reported to Objectplanet and CVE number assigned."
},
{
"lang": "en",
"time": "2023-08-22T17:00:00.000Z",
"value": "Issue confirmed by Objectplanet and announced that a patch will be released in the next version."
},
{
"lang": "en",
"time": "2023-08-31T17:00:00.000Z",
"value": "Objectplanet released version 7.23. Mandiant delayed vulnerability disclosure to allow Opinio customers time to patch."
}
],
"title": "Cryptographically weak PRNG in Opinio 7.22",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "027e81ed-0dd4-4685-ab4d-884aec5bb484",
"assignerShortName": "Mandiant",
"cveId": "CVE-2023-4472",
"datePublished": "2024-02-01T22:11:21.361Z",
"dateReserved": "2023-08-21T19:42:17.822Z",
"dateUpdated": "2025-06-11T16:45:41.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26565 (GCVE-0-2020-26565)
Vulnerability from cvelistv5 – Published: 2021-07-31 16:43 – Updated: 2024-08-04 15:56
VLAI?
Summary
ObjectPlanet Opinio before 7.14 allows Expression Language Injection via the admin/permissionList.do from parameter. This can be used to retrieve possibly sensitive serverInfo data.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:04.882Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/163708/ObjectPlanet-Opinio-7.13-Expression-Language-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ObjectPlanet Opinio before 7.14 allows Expression Language Injection via the admin/permissionList.do from parameter. This can be used to retrieve possibly sensitive serverInfo data."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-31T16:43:53",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/163708/ObjectPlanet-Opinio-7.13-Expression-Language-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-26565",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ObjectPlanet Opinio before 7.14 allows Expression Language Injection via the admin/permissionList.do from parameter. This can be used to retrieve possibly sensitive serverInfo data."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://packetstormsecurity.com/files/163708/ObjectPlanet-Opinio-7.13-Expression-Language-Injection.html",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/163708/ObjectPlanet-Opinio-7.13-Expression-Language-Injection.html"
},
{
"name": "https://www.objectplanet.com/opinio/changelog.html",
"refsource": "CONFIRM",
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-26565",
"datePublished": "2021-07-31T16:43:53",
"dateReserved": "2020-10-05T00:00:00",
"dateUpdated": "2024-08-04T15:56:04.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26564 (GCVE-0-2020-26564)
Vulnerability from cvelistv5 – Published: 2021-07-31 16:28 – Updated: 2024-08-04 15:56
VLAI?
Summary
ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have <!ENTITY content, create a .xml file for a generic survey template (containing a link to this .css file), and import this .xml file at the survey/admin/folderSurvey.do?action=viewImportSurvey['importFile'] URI. The XXE can then be triggered at a admin/preview.do?action=previewSurvey&surveyId= URI.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:05.029Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/163707/ObjectPlanet-Opinio-7.13-7.14-XML-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have \u003c!ENTITY content, create a .xml file for a generic survey template (containing a link to this .css file), and import this .xml file at the survey/admin/folderSurvey.do?action=viewImportSurvey[\u0027importFile\u0027] URI. The XXE can then be triggered at a admin/preview.do?action=previewSurvey\u0026surveyId= URI."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-31T16:46:33",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/163707/ObjectPlanet-Opinio-7.13-7.14-XML-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-26564",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have \u003c!ENTITY content, create a .xml file for a generic survey template (containing a link to this .css file), and import this .xml file at the survey/admin/folderSurvey.do?action=viewImportSurvey[\u0027importFile\u0027] URI. The XXE can then be triggered at a admin/preview.do?action=previewSurvey\u0026surveyId= URI."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://packetstormsecurity.com/files/163707/ObjectPlanet-Opinio-7.13-7.14-XML-Injection.html",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/163707/ObjectPlanet-Opinio-7.13-7.14-XML-Injection.html"
},
{
"name": "https://www.objectplanet.com/opinio/changelog.html",
"refsource": "CONFIRM",
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-26564",
"datePublished": "2021-07-31T16:28:05",
"dateReserved": "2020-10-05T00:00:00",
"dateUpdated": "2024-08-04T15:56:05.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26806 (GCVE-0-2020-26806)
Vulnerability from cvelistv5 – Published: 2021-07-31 16:13 – Updated: 2024-08-04 16:03
VLAI?
Summary
admin/file.do in ObjectPlanet Opinio before 7.15 allows Unrestricted File Upload of executable JSP files, resulting in remote code execution, because filePath can have directory traversal and fileContent can be valid JSP code.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:03:22.430Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/163709/ObjectPlanet-Opinio-7.13-Shell-Upload.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "admin/file.do in ObjectPlanet Opinio before 7.15 allows Unrestricted File Upload of executable JSP files, resulting in remote code execution, because filePath can have directory traversal and fileContent can be valid JSP code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-31T16:47:48",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/163709/ObjectPlanet-Opinio-7.13-Shell-Upload.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-26806",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "admin/file.do in ObjectPlanet Opinio before 7.15 allows Unrestricted File Upload of executable JSP files, resulting in remote code execution, because filePath can have directory traversal and fileContent can be valid JSP code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://packetstormsecurity.com/files/163709/ObjectPlanet-Opinio-7.13-Shell-Upload.html",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/163709/ObjectPlanet-Opinio-7.13-Shell-Upload.html"
},
{
"name": "https://www.objectplanet.com/opinio/changelog.html",
"refsource": "CONFIRM",
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-26806",
"datePublished": "2021-07-31T16:13:31",
"dateReserved": "2020-10-07T00:00:00",
"dateUpdated": "2024-08-04T16:03:22.430Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26563 (GCVE-0-2020-26563)
Vulnerability from cvelistv5 – Published: 2021-07-30 02:52 – Updated: 2024-08-04 15:56
VLAI?
Summary
ObjectPlanet Opinio before 7.14 allows reflected XSS via the survey/admin/surveyAdmin.do?action=viewSurveyAdmin query string. (There is also stored XSS if input to survey/admin/*.do is accepted from untrusted users.)
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:04.618Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/163699/ObjectPlanet-Opinio-7.12-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ObjectPlanet Opinio before 7.14 allows reflected XSS via the survey/admin/surveyAdmin.do?action=viewSurveyAdmin query string. (There is also stored XSS if input to survey/admin/*.do is accepted from untrusted users.)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-31T16:45:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/163699/ObjectPlanet-Opinio-7.12-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-26563",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ObjectPlanet Opinio before 7.14 allows reflected XSS via the survey/admin/surveyAdmin.do?action=viewSurveyAdmin query string. (There is also stored XSS if input to survey/admin/*.do is accepted from untrusted users.)"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://packetstormsecurity.com/files/163699/ObjectPlanet-Opinio-7.12-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/163699/ObjectPlanet-Opinio-7.12-Cross-Site-Scripting.html"
},
{
"name": "https://www.objectplanet.com/opinio/changelog.html",
"refsource": "CONFIRM",
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-26563",
"datePublished": "2021-07-30T02:52:25",
"dateReserved": "2020-10-05T00:00:00",
"dateUpdated": "2024-08-04T15:56:04.618Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-10798 (GCVE-0-2017-10798)
Vulnerability from cvelistv5 – Published: 2017-07-03 03:00 – Updated: 2024-08-05 17:50
VLAI?
Summary
In ObjectPlanet Opinio before 7.6.4, there is XSS.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:50:11.625Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.objectplanet.com/opinio/changelog.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-07-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In ObjectPlanet Opinio before 7.6.4, there is XSS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-03T02:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.objectplanet.com/opinio/changelog.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-10798",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In ObjectPlanet Opinio before 7.6.4, there is XSS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.objectplanet.com/opinio/changelog.html",
"refsource": "CONFIRM",
"url": "http://www.objectplanet.com/opinio/changelog.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-10798",
"datePublished": "2017-07-03T03:00:00",
"dateReserved": "2017-07-02T00:00:00",
"dateUpdated": "2024-08-05T17:50:11.625Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}