Overview
CVE-2025-13873 describes a stored Cross-Site Scripting (XSS) vulnerability discovered in the survey-import feature of ObjectPlanet Opinio 7.26 rev12562. This vulnerability allows an attacker to inject malicious JavaScript code into a survey. When a user accesses the compromised survey, the injected JavaScript executes within their browser, potentially leading to account compromise, data theft, or other malicious activities.
Technical Details
The vulnerability resides in how Opinio handles user-supplied input during the survey import process. Specifically, insufficient input validation and sanitization of survey data allows an attacker to embed malicious JavaScript code within fields such as question titles, descriptions, or other survey elements. This malicious code is then stored in the database and served to users when they view the survey. The attack vector involves crafting a specially designed survey file (likely in a format supported by Opinio’s import functionality) containing the XSS payload and importing it into the application.
Affected Version: ObjectPlanet Opinio 7.26 rev12562
Vulnerability Type: Stored Cross-Site Scripting (XSS)
CVSS Analysis
Due to the information provided having no CVSS score available, a proper assessment of the CVSS metrics and resulting score is not possible at this time. It’s highly recommended to consult the vendor or a security professional for a complete CVSS analysis. Factors to consider when calculating the score include the attack vector, attack complexity, privileges required, user interaction, scope, confidentiality impact, integrity impact, and availability impact.
Possible Impact
The impact of this stored XSS vulnerability can be significant. An attacker could:
- Steal user credentials: Inject code to capture usernames and passwords.
- Deface the application: Alter the appearance or functionality of the Opinio application for all users.
- Redirect users to malicious websites: Force users to visit phishing sites or sites hosting malware.
- Perform actions on behalf of the user: Modify survey responses, create new surveys, or perform other actions as if the user initiated them.
- Spread the attack: Use the compromised account to further inject XSS payloads into other surveys, escalating the impact.
Mitigation and Patch Steps
- Upgrade Opinio: The primary mitigation step is to upgrade to a patched version of Opinio that addresses this vulnerability. Check the ObjectPlanet Opinio changelog (linked below) for the availability of a security update.
- Input Validation and Sanitization: Even if an immediate update is not possible, implement robust input validation and sanitization on all user-supplied data, especially during survey import. Ensure that all HTML entities are properly encoded before being stored in the database.
- Content Security Policy (CSP): Implement a strong Content Security Policy to restrict the sources from which the browser can load resources. This can help prevent the execution of injected JavaScript code.
- Regular Security Audits: Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
