{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-13873","assignerOrgId":"64c5ae8f-7972-4697-86a0-7ada793ac795","state":"PUBLISHED","assignerShortName":"TCS-CERT","dateReserved":"2025-12-02T09:17:07.251Z","datePublished":"2025-12-02T09:56:16.762Z","dateUpdated":"2025-12-02T16:54:53.196Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unknown","modules":["The feature to import a survey"],"product":"Opinio","vendor":"ObjectPlanet","versions":[{"status":"affected","version":"7.26 rev12562"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:objectplanet:opinio:7.26_rev12562:*:*:*:*:*:*:*","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"OR"}],"credits":[{"lang":"en","type":"finder","value":"Dominique Righetto"}],"datePublic":"2025-07-31T08:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Stored Cross-Site Scripting (XSS) in the survey-import feature of <em></em>ObjectPlanet&nbsp;Opinio&nbsp;7.26 rev12562 on web application allows an attacker to inject arbitrary JavaScript code, which executes in the browsing context of any visitor accessing the compromised survey.\n\n\n\n\n\n<br>"}],"value":"Stored Cross-Site Scripting (XSS) in the survey-import feature of ObjectPlanet Opinio 7.26 rev12562 on web application allows an attacker to inject arbitrary JavaScript code, which executes in the browsing context of any visitor accessing the compromised survey."}],"impacts":[{"capecId":"CAPEC-592","descriptions":[{"lang":"en","value":"CAPEC-592 Stored XSS"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":4.8,"baseSeverity":"MEDIUM","exploitMaturity":"NOT_DEFINED","privilegesRequired":"HIGH","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"PASSIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-79","description":"CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"64c5ae8f-7972-4697-86a0-7ada793ac795","shortName":"TCS-CERT","dateUpdated":"2025-12-02T09:56:16.762Z"},"references":[{"tags":["release-notes"],"url":"https://www.objectplanet.com/opinio/changelog.html"}],"source":{"discovery":"EXTERNAL"},"timeline":[{"lang":"en","time":"2024-12-01T09:10:00.000Z","value":"Vulnerability discovery"},{"lang":"en","time":"2024-12-10T14:22:00.000Z","value":"Vulnerability Report to TCS-CERT"},{"lang":"en","time":"2024-12-19T15:33:00.000Z","value":"Vulnerability Report to Vendor through email : opinio@support.objectplanet.com"},{"lang":"en","time":"2024-12-24T15:34:00.000Z","value":"Feedback asked to vendor, check if the vendor received the PoC in an encrypted archive"},{"lang":"en","time":"2025-01-10T15:32:00.000Z","value":"New follow-up email was send to the vendor"},{"lang":"en","time":"2025-01-13T15:37:00.000Z","value":"Vendor confirmed the reception of the PoC, vendor asked to wait 90-day period before publishing (responsible disclosure), and will try to fix the vulnerability"},{"lang":"en","time":"2025-01-14T15:37:00.000Z","value":"Answer to vendor to acknowledge 90 days period"},{"lang":"en","time":"2025-03-10T15:38:00.000Z","value":"Vendor informed us that they will realse the fix by the end of this month"},{"lang":"en","time":"2025-04-23T14:39:00.000Z","value":"An email was sent to check where they stand on the release and fixes for the reported issues"},{"lang":"en","time":"2025-06-21T14:39:00.000Z","value":"A feedback was requested from vendor regarding their progreess"},{"lang":"en","time":"2025-06-30T14:39:00.000Z","value":"A feedback was requested from vendor regarding their progreess"},{"lang":"en","time":"2025-07-31T14:39:00.000Z","value":"The vendor released the newer fixed version which is the Opinio Version 7.27"}],"title":"The feature to import a survey is prone to stored Cross-Site Script attacks","x_generator":{"engine":"Vulnogram 0.5.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-12-02T16:50:32.048997Z","id":"CVE-2025-13873","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-12-02T16:54:53.196Z"}}]}}