CVE-2025-13873 Overview
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the survey-import feature of ObjectPlanet Opinio 7.26 (rev12562). This vulnerability allows an attacker to inject arbitrary JavaScript code through the survey import functionality, which then executes in the browsing context of any visitor accessing the compromised survey. With a CVSS 4.0 score of 4.8 (Medium severity), this vulnerability poses a significant risk to organizations using Opinio for survey management.
Stored XSS vulnerabilities are particularly dangerous as the malicious payload persists on the server and affects every user who views the compromised content. In this case, survey respondents and administrators could be targeted when interacting with a maliciously crafted survey.
Critical Impact
Attackers can inject persistent JavaScript code through the survey-import feature, potentially stealing session tokens, credentials, or performing actions on behalf of authenticated users visiting compromised surveys.
Affected Products
- ObjectPlanet Opinio version 7.26 (rev12562)
- Web-based survey management applications running vulnerable Opinio versions
Discovery Timeline
- 2025-12-02 - CVE-2025-13873 published to NVD
- 2025-12-04 - Last updated in NVD database
Technical Details for CVE-2025-13873
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The attack vector is network-based (AV:N) with low attack complexity (AC:L), though it requires high privileges (PR:H) to exploit and passive user interaction (UI:P).
The CVSS 4.0 vector string is: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
The EPSS (Exploit Prediction Scoring System) indicates a probability of 0.033% with a percentile ranking of 9.119, suggesting relatively low likelihood of active exploitation in the wild currently.
Root Cause
The root cause of this vulnerability lies in insufficient input validation and output encoding within the survey-import feature of ObjectPlanet Opinio. When survey data is imported into the application, user-controlled input fields are not properly sanitized before being stored in the database or rendered in the browser. This allows malicious JavaScript code embedded within imported survey data to be stored and subsequently executed when surveys are viewed.
Attack Vector
The attack leverages the survey-import functionality as the entry point. An attacker with elevated privileges (such as a survey administrator) can craft a malicious survey file containing JavaScript payloads embedded within survey fields such as question text, answer options, or survey descriptions. When this file is imported through the survey-import feature, the malicious code is stored in the application's database.
Subsequently, when any user—whether an administrator, survey editor, or survey respondent—accesses the compromised survey, the stored JavaScript executes within their browser context. This can enable attackers to:
- Steal session cookies and authentication tokens
- Redirect users to malicious websites
- Perform actions on behalf of authenticated users
- Capture sensitive form data entered by survey respondents
- Modify the appearance or behavior of the survey page
The vulnerability mechanism involves improper handling of survey import data where JavaScript payloads can be embedded in survey fields. When rendered, the application fails to properly encode or sanitize this content, allowing the browser to execute the injected scripts. For detailed technical information, refer to the ObjectPlanet Opinio changelog.
Detection Methods for CVE-2025-13873
Indicators of Compromise
- Unexpected JavaScript code or HTML tags present in survey content fields within the database
- Browser console errors indicating blocked script execution (if CSP is enabled)
- Unusual network requests originating from survey pages to external domains
- Survey content containing encoded script tags such as <script>, javascript:, or event handlers like onerror, onload
- Audit logs showing survey imports from untrusted sources followed by suspicious user activity
Detection Strategies
Organizations should implement monitoring at multiple layers to detect potential exploitation:
Web Application Firewall (WAF) Rules: Configure WAF rules to detect and block XSS patterns in HTTP requests, particularly those targeting the survey-import endpoint.
Database Monitoring: Implement triggers or periodic scans to detect JavaScript patterns stored in survey-related database tables.
Content Security Policy Violations: Enable CSP reporting to identify attempts to execute inline scripts or load external resources from unauthorized domains.
Application Logging: Review logs for the survey-import feature, focusing on imports from privileged accounts and any subsequent unusual access patterns to imported surveys.
Monitoring Recommendations
- Enable verbose logging on the Opinio application server, particularly for the survey-import module
- Deploy endpoint detection and response (EDR) solutions to monitor for suspicious browser-based activity
- Implement real-time alerting for CSP violation reports
- Conduct regular security audits of stored survey content to identify potentially malicious payloads
- Monitor user session behavior for anomalies following survey access events
How to Mitigate CVE-2025-13873
Immediate Actions Required
- Review all recently imported surveys for suspicious content containing JavaScript or HTML tags
- Restrict access to the survey-import feature to only trusted administrators
- Implement strict Content Security Policy headers to prevent inline script execution
- Enable input validation and output encoding at the application level where possible
- Consider temporarily disabling the survey-import feature until a patch is applied
Patch Information
Organizations should consult the official ObjectPlanet Opinio changelog for security updates addressing this vulnerability. The changelog is available at: https://www.objectplanet.com/opinio/changelog.html
Apply any available security patches or updates from ObjectPlanet that address CWE-79 vulnerabilities in the survey-import functionality. Ensure you upgrade to a version newer than 7.26 (rev12562) once a patched version becomes available.
Workarounds
If immediate patching is not possible, implement the following compensating controls:
Content Security Policy Implementation: Configure your web server to include strict CSP headers that prevent inline script execution:
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'self';
Additional Workarounds:
- Implement server-side input validation to strip or encode HTML/JavaScript from imported survey data before storage
- Use a web application firewall to filter XSS payloads targeting the survey-import endpoint
- Limit survey-import privileges to a minimal number of highly trusted administrators
- Conduct manual review of all imported survey content before publishing
- Consider using an HTML sanitization library to process imported content server-side
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
