Home

Description

Stored Cross-Site Scripting (XSS) in the survey-import feature of ObjectPlanet Opinio 7.26 rev12562 on web application allows an attacker to inject arbitrary JavaScript code, which executes in the browsing context of any visitor accessing the compromised survey.

PUBLISHED Reserved 2025-12-02 | Published 2025-12-02 | Updated 2025-12-02 | Assigner TCS-CERT




MEDIUM: 4.8CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Default status
unknown

7.26 rev12562
affected

Timeline

2024-12-01:Vulnerability discovery
2024-12-10:Vulnerability Report to TCS-CERT
2024-12-19:Vulnerability Report to Vendor through email : opinio@support.objectplanet.com
2024-12-24:Feedback asked to vendor, check if the vendor received the PoC in an encrypted archive
2025-01-10:New follow-up email was send to the vendor
2025-01-13:Vendor confirmed the reception of the PoC, vendor asked to wait 90-day period before publishing (responsible disclosure), and will try to fix the vulnerability
2025-01-14:Answer to vendor to acknowledge 90 days period
2025-03-10:Vendor informed us that they will realse the fix by the end of this month
2025-04-23:An email was sent to check where they stand on the release and fixes for the reported issues
2025-06-21:A feedback was requested from vendor regarding their progreess
2025-06-30:A feedback was requested from vendor regarding their progreess
2025-07-31:The vendor released the newer fixed version which is the Opinio Version 7.27

Credits

Dominique Righetto finder

References

www.objectplanet.com/opinio/changelog.html release-notes

cve.org (CVE-2025-13873)

nvd.nist.gov (CVE-2025-13873)

Download JSON