9 matches found
CVE-2020-26564
ObjectPlanet Opinio is affected by XXE in versions before 7.15. The vulnerability arises from a sequence where an attacker modifies a CSS file to include an ENTITY, creates an XML that references that CSS, and imports the XML via the survey admin interface, enabling an XXE that can be triggered d...
CVE-2020-26565
ObjectPlanet Opinio before 7.14 is vulnerable to an Expression Language Injection via the admin/permissionList.do parameter, allowing retrieval of potentially sensitive serverInfo data. The issue affects Opinio versions prior to 7.14; remediation is upgrading to 7.14 or later. PoCs and public wri...
CVE-2020-26806
ObjectPlanet Opinio is affected by CVE-2020-26806 in versions before 7.15. The vulnerability allows Unrestricted File Upload of executable JSP files via admin/file.do, enabling remote code execution because filePath can be traversed and fileContent can contain JSP. The issue is demonstrated as an...
CVE-2020-26563
ObjectPlanet Opinio before 7.14 is vulnerable to reflected XSS via the survey/admin/surveyAdmin.do?action=viewSurveyAdmin query string, with stored XSS if inputs to survey/admin/*.do come from untrusted users. Affected versions are prior to 7.14; a fix/patch was provided by ObjectPlanet (referenc...
CVE-2023-4472
Objectplanet Opinio 7.22 and earlier are affected by a cryptographically weak PRNG with a predictable seed, enabling unauthenticated takeover of any user’s account. Root cause: weak PRNG in Opinio’s code path. Impact: high confidentiality, integrity, and availability risk via network attack; no u...
CVE-2017-10798
ObjectPlanet Opinio vulnerable to a reflected XSS in versions up to 7.6.3, fixed in 7.6.4. The issue affects the /admin/reportPortal.do page via the userLanguage GET parameter, exploitable by remote unauthenticated users. Proof-of-concept shows a crafted input can trigger script execution; upgrad...
CVE-2025-13873
ObjectPlanet Opinio 7.26 rev12562 is affected by a stored Cross-Site Scripting (XSS) in the survey-import feature. The vulnerability arises from the import path, allowing an attacker to inject JavaScript that executes in the browsing context of visitors accessing the compromised survey. No exploi...
CVE-2025-13871
CVE-2025-13871 concerns CSRF in the Resource-Management feature of ObjectPlanet Opinio 7.26 rev12562. The vulnerability allows uploading files on behalf of authenticated users and subsequently accessing those files without authentication. Concrete details across connected sources confirm the affe...
CVE-2025-13872
CVE-2025-13872 affects ObjectPlanet Opinio 7.26 rev12562. The survey-import feature is vulnerable to Blind Server-Side Request Forgery (SSRF), allowing an attacker to force the server to issue HTTP GET requests to an arbitrary destination. Public details in the connected sources confirm the affec...