Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Objectplanet Subscribe
Total 5 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-26565 1 Objectplanet 1 Opinio 2021-08-09 5.0 MEDIUM 7.5 HIGH
ObjectPlanet Opinio before 7.14 allows Expression Language Injection via the admin/permissionList.do from parameter. This can be used to retrieve possibly sensitive serverInfo data.
CVE-2020-26806 1 Objectplanet 1 Opinio 2021-08-09 6.5 MEDIUM 8.8 HIGH
admin/file.do in ObjectPlanet Opinio before 7.15 allows Unrestricted File Upload of executable JSP files, resulting in remote code execution, because filePath can have directory traversal and fileContent can be valid JSP code.
CVE-2020-26564 1 Objectplanet 1 Opinio 2021-08-09 4.0 MEDIUM 6.5 MEDIUM
ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have <!ENTITY content, create a .xml file for a generic survey template (containing a link to this .css file), and import this .xml file at the survey/admin/folderSurvey.do?action=viewImportSurvey['importFile'] URI. The XXE can then be triggered at a admin/preview.do?action=previewSurvey&surveyId= URI.
CVE-2020-26563 1 Objectplanet 1 Opinio 2021-08-02 4.3 MEDIUM 6.1 MEDIUM
ObjectPlanet Opinio before 7.14 allows reflected XSS via the survey/admin/surveyAdmin.do?action=viewSurveyAdmin query string. (There is also stored XSS if input to survey/admin/*.do is accepted from untrusted users.)
CVE-2017-10798 1 Objectplanet 1 Opinio 2017-07-05 4.3 MEDIUM 6.1 MEDIUM
In ObjectPlanet Opinio before 7.6.4, there is XSS.