Objectplanet

objectplanet

9 CVEs • 1 product

Products (1)

Click to collapse

Toggle

CVEs (9)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-13873 1Objectplanet 1Opinio Dec 4, 2025 Dec 2, 2025 4.8 MEDIUM· v4 5.4 MEDIUM· v3 N/A· v2 Stored Cross-Site Scripting (XSS) in the survey-import feature of ObjectPlanet Opinio 7.26 rev12562 on web application allows an attacker to inject arbitrary JavaScript code, which executes in the browsing context of any...Show more Stored Cross-Site Scripting (XSS) in the survey-import feature of ObjectPlanet Opinio 7.26 rev12562 on web application allows an attacker to inject arbitrary JavaScript code, which executes in the browsing context of any visitor accessing the compromised survey.Show less
CVE-2025-13872 1Objectplanet 1Opinio Dec 4, 2025 Dec 2, 2025 2.1 LOW· v4 9.1 CRITICAL· v3 N/A· v2 Blind Server-Side Request Forgery (SSRF) in the survey-import feature of ObjectPlanet Opinio 7.26 rev12562 on Web-based platforms allows an attacker to force the server to perform HTTP GET requests via crafted impor...Show more Blind Server-Side Request Forgery (SSRF) in the survey-import feature of ObjectPlanet Opinio 7.26 rev12562 on Web-based platforms allows an attacker to force the server to perform HTTP GET requests via crafted import requests to an arbitrary destination.Show less
CVE-2025-13871 1Objectplanet 1Opinio Dec 4, 2025 Dec 2, 2025 2.3 LOW· v4 8.8 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) in the resource-management feature of ObjectPlanet Opinio 7.26 rev12562 allows to upload files on behalf of the connected users and then access such files without authentication.
CVE-2023-4472 1Objectplanet 1Opinio Jun 11, 2025 Feb 1, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Objectplanet Opinio version 7.22 and prior uses a cryptographically weak pseudo-random number generator (PRNG) coupled to a predictable seed, which could lead to an unauthenticated account takeover of any user on the app...Show more Objectplanet Opinio version 7.22 and prior uses a cryptographically weak pseudo-random number generator (PRNG) coupled to a predictable seed, which could lead to an unauthenticated account takeover of any user on the application.Show less
CVE-2020-26806 1Objectplanet 1Opinio Nov 21, 2024 Jul 31, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 admin/file.do in ObjectPlanet Opinio before 7.15 allows Unrestricted File Upload of executable JSP files, resulting in remote code execution, because filePath can have directory traversal and fileContent can be valid JSP...Show more admin/file.do in ObjectPlanet Opinio before 7.15 allows Unrestricted File Upload of executable JSP files, resulting in remote code execution, because filePath can have directory traversal and fileContent can be valid JSP code.Show less
CVE-2020-26565 1Objectplanet 1Opinio Nov 21, 2024 Jul 31, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 ObjectPlanet Opinio before 7.14 allows Expression Language Injection via the admin/permissionList.do from parameter. This can be used to retrieve possibly sensitive serverInfo data.
CVE-2020-26564 1Objectplanet 1Opinio Nov 21, 2024 Jul 31, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have <!ENTITY content, create a .xml file for a generic survey template (containing a link to this .css file), and import this .xm...Show more ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have <!ENTITY content, create a .xml file for a generic survey template (containing a link to this .css file), and import this .xml file at the survey/admin/folderSurvey.do?action=viewImportSurvey['importFile'] URI. The XXE can then be triggered at a admin/preview.do?action=previewSurvey&surveyId= URI.Show less
CVE-2020-26563 1Objectplanet 1Opinio Nov 21, 2024 Jul 30, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 ObjectPlanet Opinio before 7.14 allows reflected XSS via the survey/admin/surveyAdmin.do?action=viewSurveyAdmin query string. (There is also stored XSS if input to survey/admin/*.do is accepted from untrusted users.)
CVE-2017-10798 1Objectplanet 1Opinio May 13, 2026 Jul 3, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 In ObjectPlanet Opinio before 7.6.4, there is XSS.