# Exploit Title: ObjectPlanet Opinio 7.12 allows Cross-Site Scripting # Vendor Homepage: https://www.objectplanet.com/opinio/ # Software Link: https://www.objectplanet.com/opinio/ # Exploit Authors: Ang Kar Min (https://www.linkedin.com/in/karmin-ang) # CVE: CVE-2020-26563 # Timeline - September 2019: Initial discovery - July 2020: Reported to ObjectPlanet - August 2020: Fix/patch provided by ObjectPlanet - July 2021: Published CVE-2020-26563 # 1. Introduction Opinio is a survey management solution by ObjectPlanet that allows surveys to be designed, published and managed. # 2. Vulnerability Details ObjectPlanet Opinio before version 7.13 is vulnerable to stored Cross-Site Scripting (Stored XSS) and reflected Cross-Site Scripting (Reflected XSS). # 3. Proof of Concept ### Reflected XSS executed in URL ### The following payload was executed when injected as part of the URL"/survey/admin/surveyAdmin.do?action=viewSurveyAdmin&surveyId=1234": “&zwzc4%22%3e%3cinput%20type%3dtext%20autofocus%20onfocus%3dconfirm(1)%2f%2f” Affected URL:/survey/admin/surveyAdmin.do? ### Stored XSS ### Stored XSS payload such as “<script>alert(‘XSS ATTACK’)</script> can be saved in various parameter fields. The malicious payload is executed when a user visits a page that preview or published the payloads. Stored XSS payload such “<script>alert(‘XSS ATTACK’)</script> can be saved in various parameter fields and executed when a user visits a page where the payload is retrieved. For example, a survey question can be created as part of a survey to store the malicious payload. When this survey previewed, the payload will be retrieved and trigger the XSS vulnerability. This stored XSS vulnerability affects any page where the affected parameters are accepted and triggered similarly as described in the previous example. Affected URL(s) and Parameter(s): - /survey/admin/question.do 'questionText', 'ratingMinText', 'ratingMaxText', 'ratingNALabel', 'multMinError', 'numError', 'numPrefix', 'numPostfix', 'numReqError', 'dropdownLabel', parameters - /survey/admin/section.do 'title' parameter - /survey/admin/sectionText.do 'text' parameter - /survey/admin/plugin.do 'plugin_survey_closed_message', 'plugin_restrict_nrics', '&plugin_survey_email_content' parameter - /survey/admin/confirm.do 'confirmMessageKeyParam', ‘org.apache.struts.taglib.html.TOKEN’ parameter - /survey/admin/folder.do 'msgKey' parameter - /survey/admin/file.do 'resourceName', ‘resourcePath’ parameter - /survey/admin/setup.do 'characterEncoding', 'emailForErrors', 'fromEmail', 'language', 'systemBaseUrl' parameters - /survey/admin/questionList.do?action=viewQuestionList&surveyId=1806 arbitrarily supplied URL parameter - /survey/admin/resources.do?action=viewResourcesByType&resourceType=8&fileListType=6125&selectedPreviewLocation=&selectedPreviewHeight=&selectedPreviewWidth=&selectedRadioId=select1_&copyToPosition=-1&isSimpleLayout=false arbitrarily supplied URL parameter - /survey/admin/surveyAdmin.do?action=viewSurveyAdmin&surveyId=3404&isPoll=1 arbitrarily supplied URL parameter # 4. Remediation Apply the latest fix/patch from objectplanet. # 5. Credits Ang Kar Min (https://www.linkedin.com/in/karmin-ang)