彙總 objectplanet 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
歷史漏洞主要涉及 跨站腳本與CSRF 等問題,部分漏洞可能導致 工作階段劫持,並影響 軟體部署與生產負載 相關場景。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2025-13873 | Stored Cross-Site Scripting (XSS) in the survey-import feature of ObjectPlanet Opinio 7.26 rev12562 on web application allows an attacker to inject arbitrary JavaScript code, which executes in the browsing context of any visitor accessing the compromised survey. | 64c5ae8f-7972-4697-86a0-7ada793ac795 | 4.8 | 0.02% | 2025-12-02 | 2025-12-04 |
| CVE-2025-13872 | Blind Server-Side Request Forgery (SSRF) in the survey-import feature of ObjectPlanet Opinio 7.26 rev12562 on Web-based platforms allows an attacker to force the server to perform HTTP GET requests via crafted import requests to an arbitrary destination. | 64c5ae8f-7972-4697-86a0-7ada793ac795 | 2.1 | 0.03% | 2025-12-02 | 2025-12-04 |
| CVE-2025-13871 | Cross-Site Request Forgery (CSRF) in the resource-management feature of ObjectPlanet Opinio 7.26 rev12562 allows to upload files on behalf of the connected users and then access such files without authentication. | 64c5ae8f-7972-4697-86a0-7ada793ac795 | 2.3 | 0.02% | 2025-12-02 | 2025-12-04 |
| CVE-2023-4472 | Objectplanet Opinio version 7.22 and prior uses a cryptographically weak pseudo-random number generator (PRNG) coupled to a predictable seed, which could lead to an unauthenticated account takeover of any user on the application. | [email protected] | 9.8 | 0.12% | 2024-02-01 | 2025-06-11 |
| CVE-2020-26806 | admin/file.do in ObjectPlanet Opinio before 7.15 allows Unrestricted File Upload of executable JSP files, resulting in remote code execution, because filePath can have directory traversal and fileContent can be valid JSP code. | [email protected] | 8.8 | 5.03% | 2021-07-31 | 2024-11-21 |
| CVE-2020-26565 | ObjectPlanet Opinio before 7.14 allows Expression Language Injection via the admin/permissionList.do from parameter. This can be used to retrieve possibly sensitive serverInfo data. | [email protected] | 7.5 | 0.40% | 2021-07-31 | 2024-11-21 |
| CVE-2020-26564 | ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have <!ENTITY content, create a .xml file for a generic survey template (containing a link to this .css file), and import this .xml file at the survey/admin/folderSurvey.do?action=viewImportSurvey['importFile'] URI. The XXE can then be triggered at a admin/preview.do?action=previewSurvey&surveyId= URI. | [email protected] | 6.5 | 0.19% | 2021-07-31 | 2024-11-21 |
| CVE-2020-26563 | ObjectPlanet Opinio before 7.14 allows reflected XSS via the survey/admin/surveyAdmin.do?action=viewSurveyAdmin query string. (There is also stored XSS if input to survey/admin/*.do is accepted from untrusted users.) | [email protected] | 6.1 | 0.28% | 2021-07-30 | 2024-11-21 |
| CVE-2017-10798 | In ObjectPlanet Opinio before 7.6.4, there is XSS. | [email protected] | 6.1 | 0.27% | 2017-07-03 | 2026-05-13 |