Vulnerability-Lookup

GHSA-WR88-5946-RQ47

Vulnerability from github – Published: 2025-12-02 12:30 – Updated: 2025-12-04 18:30

Details

Stored Cross-Site Scripting (XSS) in the survey-import feature of ObjectPlanet Opinio 7.26 rev12562 on web application allows an attacker to inject arbitrary JavaScript code, which executes in the browsing context of any visitor accessing the compromised survey.

Severity

5.4 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

4.8 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-13873"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-02T10:16:02Z",
    "severity": "MODERATE"
  },
  "details": "Stored Cross-Site Scripting (XSS) in the survey-import feature of ObjectPlanet\u00a0Opinio\u00a07.26 rev12562 on web application allows an attacker to inject arbitrary JavaScript code, which executes in the browsing context of any visitor accessing the compromised survey.",
  "id": "GHSA-wr88-5946-rq47",
  "modified": "2025-12-04T18:30:42Z",
  "published": "2025-12-02T12:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13873"
    },
    {
      "type": "WEB",
      "url": "https://www.objectplanet.com/opinio/changelog.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

CVE-2025-13873 (GCVE-0-2025-13873)

Vulnerability from cvelistv5 – Published: 2025-12-02 09:56 – Updated: 2025-12-02 16:54

Title

The feature to import a survey is prone to stored Cross-Site Script attacks

Summary

Severity

4.8 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Assigner

TCS-CERT

References

1 reference

URL	Tags
https://www.objectplanet.com/opinio/changelog.html	release-notes

Impacted products

1 product

Vendor	Product	Version
ObjectPlanet	Opinio	Affected: 7.26 rev12562

Date Public

2025-07-31 08:00

Credits

Dominique Righetto

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-13873",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-02T16:50:32.048997Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-02T16:54:53.196Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "The feature to import a survey"
          ],
          "product": "Opinio",
          "vendor": "ObjectPlanet",
          "versions": [
            {
              "status": "affected",
              "version": "7.26 rev12562"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:objectplanet:opinio:7.26_rev12562:*:*:*:*:*:*:*",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Dominique Righetto"
        }
      ],
      "datePublic": "2025-07-31T08:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Stored Cross-Site Scripting (XSS) in the survey-import feature of \u003cem\u003e\u003c/em\u003eObjectPlanet\u0026nbsp;Opinio\u0026nbsp;7.26 rev12562 on web application allows an attacker to inject arbitrary JavaScript code, which executes in the browsing context of any visitor accessing the compromised survey.\n\n\n\n\n\n\u003cbr\u003e"
            }
          ],
          "value": "Stored Cross-Site Scripting (XSS) in the survey-import feature of ObjectPlanet\u00a0Opinio\u00a07.26 rev12562 on web application allows an attacker to inject arbitrary JavaScript code, which executes in the browsing context of any visitor accessing the compromised survey."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-592",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-592 Stored XSS"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-02T09:56:16.762Z",
        "orgId": "64c5ae8f-7972-4697-86a0-7ada793ac795",
        "shortName": "TCS-CERT"
      },
      "references": [
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://www.objectplanet.com/opinio/changelog.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2024-12-01T09:10:00.000Z",
          "value": "Vulnerability discovery"
        },
        {
          "lang": "en",
          "time": "2024-12-10T14:22:00.000Z",
          "value": "Vulnerability Report to TCS-CERT"
        },
        {
          "lang": "en",
          "time": "2024-12-19T15:33:00.000Z",
          "value": "Vulnerability Report to Vendor through email : opinio@support.objectplanet.com"
        },
        {
          "lang": "en",
          "time": "2024-12-24T15:34:00.000Z",
          "value": "Feedback asked to vendor, check if the vendor received the PoC in an encrypted archive"
        },
        {
          "lang": "en",
          "time": "2025-01-10T15:32:00.000Z",
          "value": "New follow-up email was send to the vendor"
        },
        {
          "lang": "en",
          "time": "2025-01-13T15:37:00.000Z",
          "value": "Vendor confirmed the reception of the PoC, vendor asked to wait 90-day period before publishing (responsible disclosure), and will try to fix the vulnerability"
        },
        {
          "lang": "en",
          "time": "2025-01-14T15:37:00.000Z",
          "value": "Answer to vendor to acknowledge 90 days period"
        },
        {
          "lang": "en",
          "time": "2025-03-10T15:38:00.000Z",
          "value": "Vendor informed us that they will realse the fix by the end of this month"
        },
        {
          "lang": "en",
          "time": "2025-04-23T14:39:00.000Z",
          "value": "An email was sent to check where they stand on the release and fixes for the reported issues"
        },
        {
          "lang": "en",
          "time": "2025-06-21T14:39:00.000Z",
          "value": "A feedback was requested from vendor regarding their progreess"
        },
        {
          "lang": "en",
          "time": "2025-06-30T14:39:00.000Z",
          "value": "A feedback was requested from vendor regarding their progreess"
        },
        {
          "lang": "en",
          "time": "2025-07-31T14:39:00.000Z",
          "value": "The vendor released the newer fixed version which is the Opinio Version 7.27"
        }
      ],
      "title": "The feature to import a survey is prone to stored Cross-Site Script attacks",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "64c5ae8f-7972-4697-86a0-7ada793ac795",
    "assignerShortName": "TCS-CERT",
    "cveId": "CVE-2025-13873",
    "datePublished": "2025-12-02T09:56:16.762Z",
    "dateReserved": "2025-12-02T09:17:07.251Z",
    "dateUpdated": "2025-12-02T16:54:53.196Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-WR88-5946-RQ47

CVE-2025-13873 (GCVE-0-2025-13873)

Tags

Sightings

Nomenclature