Search criteria
5 vulnerabilities
CVE-2025-15479 (GCVE-0-2025-15479)
Vulnerability from cvelistv5 – Published: 2026-01-07 13:23 – Updated: 2026-01-07 15:03
VLAI?
Title
NGSurvey Enterprise 3.6.4 incorrect authorization exposes other users’ API keys and personal data
Summary
Stored cross-site scripting (XSS, CWE-79) in the survey content and administration functionality in Data Illusion Zumbrunn NGSurvey Enterprise Edition 3.6.4 on all supported platforms (
on Windows and Linux servers ) allows authenticated remote users with survey creation or edit privileges to execute arbitrary JavaScript in other users’ browsers, steal session information and perform unauthorized actions on their behalf via crafted survey content that is rendered without proper output encoding.
Severity ?
CWE
- NGSurvey Enterprise 3.6.4 stored XSS via survey content enables arbitrary JavaScript execution
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Data Illusion Zumbrunn | NGSurvey |
Affected:
3.6.4 , < 3.6.17
(semver)
|
Credits
Thomas Clair
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-15479",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-07T14:10:29.702195Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-07T15:03:22.729Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"user profile management functionality"
],
"platforms": [
"Windows",
"Linux"
],
"product": "NGSurvey",
"vendor": "Data Illusion Zumbrunn",
"versions": [
{
"changes": [
{
"at": "3.6.17",
"status": "unaffected"
}
],
"lessThan": "3.6.17",
"status": "affected",
"version": "3.6.4",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:data_illusion_zumbrunn:ngsurvey:*:*:windows:*:*:*:*:*",
"versionEndExcluding": "3.6.17",
"versionStartIncluding": "3.6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:data_illusion_zumbrunn:ngsurvey:*:*:linux:*:*:*:*:*",
"versionEndExcluding": "3.6.17",
"versionStartIncluding": "3.6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thomas Clair"
}
],
"datePublic": "2025-05-28T08:23:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored cross-site scripting (XSS, CWE-79) in the survey content and administration functionality in Data Illusion Zumbrunn NGSurvey Enterprise Edition 3.6.4 on all supported platforms (\n\non Windows and Linux servers ) allows authenticated remote users with survey creation or edit privileges to execute arbitrary JavaScript in other users\u2019 browsers, steal session information and perform unauthorized actions on their behalf via crafted survey content that is rendered without proper output encoding."
}
],
"value": "Stored cross-site scripting (XSS, CWE-79) in the survey content and administration functionality in Data Illusion Zumbrunn NGSurvey Enterprise Edition 3.6.4 on all supported platforms (\n\non Windows and Linux servers ) allows authenticated remote users with survey creation or edit privileges to execute arbitrary JavaScript in other users\u2019 browsers, steal session information and perform unauthorized actions on their behalf via crafted survey content that is rendered without proper output encoding."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "NGSurvey Enterprise 3.6.4 stored XSS via survey content enables arbitrary JavaScript execution",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-07T13:23:09.002Z",
"orgId": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"shortName": "TCS-CERT"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://docs.ngsurvey.com/installation-setup/change-log#id-3.6.17-2025-05-28"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cds.thalesgroup.com/en/tcs-cert/CVE-2025-15479"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2025-05-12T23:41:00.000Z",
"value": "Vulnerability discovered by the pentester"
},
{
"lang": "en",
"time": "2025-05-22T07:42:00.000Z",
"value": "Report submitted to TCS-CERT"
},
{
"lang": "en",
"time": "2025-05-27T07:45:00.000Z",
"value": "Vulnerability Report to Vendor through email (support@dataillusion.com)"
},
{
"lang": "en",
"time": "2025-05-17T07:46:00.000Z",
"value": "Vendor acknowledged the report and confirmed fixes in v3.6.17"
},
{
"lang": "en",
"time": "2026-01-07T13:12:00.000Z",
"value": "CVE ID assigned"
},
{
"lang": "en",
"time": "2026-01-07T15:12:00.000Z",
"value": "Vulnerability Disclosure"
}
],
"title": "NGSurvey Enterprise 3.6.4 incorrect authorization exposes other users\u2019 API keys and personal data",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"assignerShortName": "TCS-CERT",
"cveId": "CVE-2025-15479",
"datePublished": "2026-01-07T13:23:09.002Z",
"dateReserved": "2026-01-07T13:10:13.147Z",
"dateUpdated": "2026-01-07T15:03:22.729Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13873 (GCVE-0-2025-13873)
Vulnerability from cvelistv5 – Published: 2025-12-02 09:56 – Updated: 2025-12-02 16:54
VLAI?
Title
The feature to import a survey is prone to stored Cross-Site Script attacks
Summary
Stored Cross-Site Scripting (XSS) in the survey-import feature of ObjectPlanet Opinio 7.26 rev12562 on web application allows an attacker to inject arbitrary JavaScript code, which executes in the browsing context of any visitor accessing the compromised survey.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ObjectPlanet | Opinio |
Affected:
7.26 rev12562
|
Credits
Dominique Righetto
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13873",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-02T16:50:32.048997Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T16:54:53.196Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"The feature to import a survey"
],
"product": "Opinio",
"vendor": "ObjectPlanet",
"versions": [
{
"status": "affected",
"version": "7.26 rev12562"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:objectplanet:opinio:7.26_rev12562:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dominique Righetto"
}
],
"datePublic": "2025-07-31T08:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored Cross-Site Scripting (XSS) in the survey-import feature of \u003cem\u003e\u003c/em\u003eObjectPlanet\u0026nbsp;Opinio\u0026nbsp;7.26 rev12562 on web application allows an attacker to inject arbitrary JavaScript code, which executes in the browsing context of any visitor accessing the compromised survey.\n\n\n\n\n\n\u003cbr\u003e"
}
],
"value": "Stored Cross-Site Scripting (XSS) in the survey-import feature of ObjectPlanet\u00a0Opinio\u00a07.26 rev12562 on web application allows an attacker to inject arbitrary JavaScript code, which executes in the browsing context of any visitor accessing the compromised survey."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T09:56:16.762Z",
"orgId": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"shortName": "TCS-CERT"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2024-12-01T09:10:00.000Z",
"value": "Vulnerability discovery"
},
{
"lang": "en",
"time": "2024-12-10T14:22:00.000Z",
"value": "Vulnerability Report to TCS-CERT"
},
{
"lang": "en",
"time": "2024-12-19T15:33:00.000Z",
"value": "Vulnerability Report to Vendor through email : opinio@support.objectplanet.com"
},
{
"lang": "en",
"time": "2024-12-24T15:34:00.000Z",
"value": "Feedback asked to vendor, check if the vendor received the PoC in an encrypted archive"
},
{
"lang": "en",
"time": "2025-01-10T15:32:00.000Z",
"value": "New follow-up email was send to the vendor"
},
{
"lang": "en",
"time": "2025-01-13T15:37:00.000Z",
"value": "Vendor confirmed the reception of the PoC, vendor asked to wait 90-day period before publishing (responsible disclosure), and will try to fix the vulnerability"
},
{
"lang": "en",
"time": "2025-01-14T15:37:00.000Z",
"value": "Answer to vendor to acknowledge 90 days period"
},
{
"lang": "en",
"time": "2025-03-10T15:38:00.000Z",
"value": "Vendor informed us that they will realse the fix by the end of this month"
},
{
"lang": "en",
"time": "2025-04-23T14:39:00.000Z",
"value": "An email was sent to check where they stand on the release and fixes for the reported issues"
},
{
"lang": "en",
"time": "2025-06-21T14:39:00.000Z",
"value": "A feedback was requested from vendor regarding their progreess"
},
{
"lang": "en",
"time": "2025-06-30T14:39:00.000Z",
"value": "A feedback was requested from vendor regarding their progreess"
},
{
"lang": "en",
"time": "2025-07-31T14:39:00.000Z",
"value": "The vendor released the newer fixed version which is the Opinio Version 7.27"
}
],
"title": "The feature to import a survey is prone to stored Cross-Site Script attacks",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"assignerShortName": "TCS-CERT",
"cveId": "CVE-2025-13873",
"datePublished": "2025-12-02T09:56:16.762Z",
"dateReserved": "2025-12-02T09:17:07.251Z",
"dateUpdated": "2025-12-02T16:54:53.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13872 (GCVE-0-2025-13872)
Vulnerability from cvelistv5 – Published: 2025-12-02 09:51 – Updated: 2025-12-02 16:55
VLAI?
Title
Blind Server-Side Request Forgery (SSRF) in the survey-import feature of ObjectPlanet Opinio
Summary
Blind Server-Side Request Forgery (SSRF) in the survey-import feature of
ObjectPlanet Opinio 7.26 rev12562 on
Web-based platforms allows an attacker to force the server to perform HTTP GET requests via crafted import requests
to an arbitrary destination.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ObjectPlanet | Opinio |
Affected:
7.26 rev12562
|
Credits
Dominique Righetto
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13872",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-02T16:50:34.265761Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T16:55:02.348Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"The feature to import a survey"
],
"product": "Opinio",
"vendor": "ObjectPlanet",
"versions": [
{
"status": "affected",
"version": "7.26 rev12562"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:objectplanet:opinio:7.26_rev12562:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dominique Righetto"
}
],
"datePublic": "2025-07-31T08:54:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cbr\u003e\n\n\n\nBlind Server-Side Request Forgery (SSRF) in the survey-import feature of \n\n \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eObjectPlanet\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOpinio\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;7.26 rev12562\u003c/span\u003e\u0026nbsp;on \u003cem\u003e\u003c/em\u003e\n\nWeb-based platforms allows an attacker to force the server to perform HTTP GET requests via crafted import requests \n\n to an arbitrary destination.\n\n\n\n\u003cbr\u003e"
}
],
"value": "Blind Server-Side Request Forgery (SSRF) in the survey-import feature of \n\n ObjectPlanet\u00a0Opinio\u00a07.26 rev12562\u00a0on \n\nWeb-based platforms allows an attacker to force the server to perform HTTP GET requests via crafted import requests \n\n to an arbitrary destination."
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T09:51:59.865Z",
"orgId": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"shortName": "TCS-CERT"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2024-12-01T09:10:00.000Z",
"value": "Vulnerability discovery"
},
{
"lang": "en",
"time": "2024-12-10T14:22:00.000Z",
"value": "Vulnerability Report to TCS-CERT"
},
{
"lang": "en",
"time": "2024-12-19T15:33:00.000Z",
"value": "Vulnerability Report to Vendor through email : opinio@support.objectplanet.com"
},
{
"lang": "en",
"time": "2024-12-24T15:34:00.000Z",
"value": "Feedback asked to vendor, check if the vendor received the PoC in an encrypted archive"
},
{
"lang": "en",
"time": "2025-01-10T15:32:00.000Z",
"value": "New follow-up email was send to the vendor"
},
{
"lang": "en",
"time": "2025-01-13T15:37:00.000Z",
"value": "Vendor confirmed the reception of the PoC, vendor asked to wait 90-day period before publishing (responsible disclosure), and will try to fix the vulnerability"
},
{
"lang": "en",
"time": "2025-01-14T15:37:00.000Z",
"value": "Answer to vendor to acknowledge 90 days period"
},
{
"lang": "en",
"time": "2025-03-10T15:38:00.000Z",
"value": "Vendor informed us that they will realse the fix by the end of this month"
},
{
"lang": "en",
"time": "2025-04-23T14:39:00.000Z",
"value": "An email was sent to check where they stand on the release and fixes for the reported issues"
},
{
"lang": "en",
"time": "2025-06-21T14:39:00.000Z",
"value": "A feedback was requested from vendor regarding their progreess"
},
{
"lang": "en",
"time": "2025-06-30T14:39:00.000Z",
"value": "A feedback was requested from vendor regarding their progreess"
},
{
"lang": "en",
"time": "2025-07-31T14:39:00.000Z",
"value": "The vendor released the newer fixed version which is the Opinio Version 7.27"
}
],
"title": "Blind Server-Side Request Forgery (SSRF) in the survey-import feature of ObjectPlanet\u00a0Opinio",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"assignerShortName": "TCS-CERT",
"cveId": "CVE-2025-13872",
"datePublished": "2025-12-02T09:51:59.865Z",
"dateReserved": "2025-12-02T09:17:04.605Z",
"dateUpdated": "2025-12-02T16:55:02.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13871 (GCVE-0-2025-13871)
Vulnerability from cvelistv5 – Published: 2025-12-02 09:42 – Updated: 2025-12-02 16:55
VLAI?
Title
The feature to manage resources is prone to Cross-Site Request Forgery attacks
Summary
Cross-Site Request Forgery (CSRF) in the resource-management feature of
ObjectPlanet Opinio 7.26 rev12562
allows to upload
files on behalf of the connected users and then access such files without authentication.
Severity ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ObjectPlanet | Opinio |
Affected:
7.26 rev12562
|
Credits
Dominique Righetto
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13871",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-02T16:50:36.706557Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T16:55:09.792Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Opinio",
"vendor": "ObjectPlanet",
"versions": [
{
"status": "affected",
"version": "7.26 rev12562"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dominique Righetto"
}
],
"datePublic": "2025-07-31T08:31:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cbr\u003e\n\nCross-Site Request Forgery (CSRF) in the resource-management feature of \u003cem\u003e\u003c/em\u003e\n\n\u003cb\u003eObjectPlanet Opinio 7.26 rev12562\u003c/b\u003e\n\n\u003cem\u003e\u003c/em\u003e allows\u0026nbsp;to upload \nfiles on behalf of the connected users and then access such files without authentication.\n\n\u003cbr\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) in the resource-management feature of \n\nObjectPlanet Opinio 7.26 rev12562\n\n allows\u00a0to upload \nfiles on behalf of the connected users and then access such files without authentication."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T09:42:51.187Z",
"orgId": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"shortName": "TCS-CERT"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://www.objectplanet.com/opinio/changelog.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2024-12-01T09:10:00.000Z",
"value": "Vulnerability discovery"
},
{
"lang": "en",
"time": "2024-12-10T14:22:00.000Z",
"value": "Vulnerability Report to TCS-CERT"
},
{
"lang": "en",
"time": "2024-12-19T15:33:00.000Z",
"value": "Vulnerability Report to Vendor through email : opinio@support.objectplanet.com"
},
{
"lang": "en",
"time": "2024-12-24T15:34:00.000Z",
"value": "Feedback asked to vendor, check if the vendor received the PoC in an encrypted archive"
},
{
"lang": "en",
"time": "2025-01-10T15:32:00.000Z",
"value": "New follow-up email was send to the vendor"
},
{
"lang": "en",
"time": "2025-01-13T15:37:00.000Z",
"value": "Vendor confirmed the reception of the PoC, vendor asked to wait 90-day period before publishing (responsible disclosure), and will try to fix the vulnerability"
},
{
"lang": "en",
"time": "2025-01-14T15:37:00.000Z",
"value": "Answer to vendor to acknowledge 90 days period"
},
{
"lang": "en",
"time": "2025-03-10T15:38:00.000Z",
"value": "Vendor informed us that they will realse the fix by the end of this month"
},
{
"lang": "en",
"time": "2025-04-23T14:39:00.000Z",
"value": "An email was sent to check where they stand on the release and fixes for the reported issues"
},
{
"lang": "en",
"time": "2025-06-21T14:39:00.000Z",
"value": "A feedback was requested from vendor regarding their progreess"
},
{
"lang": "en",
"time": "2025-06-30T14:39:00.000Z",
"value": "A feedback was requested from vendor regarding their progreess"
},
{
"lang": "en",
"time": "2025-07-31T14:39:00.000Z",
"value": "The vendor released the newer fixed version which is the Opinio Version 7.27"
}
],
"title": "The feature to manage resources is prone to Cross-Site Request Forgery attacks",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"assignerShortName": "TCS-CERT",
"cveId": "CVE-2025-13871",
"datePublished": "2025-12-02T09:42:51.187Z",
"dateReserved": "2025-12-02T09:16:58.809Z",
"dateUpdated": "2025-12-02T16:55:09.792Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13829 (GCVE-0-2025-13829)
Vulnerability from cvelistv5 – Published: 2025-12-01 15:47 – Updated: 2025-12-01 16:16
VLAI?
Summary
Incorrect Authorization vulnerability in Data Illusion Zumbrunn NGSurvey allows any logged-in user to obtain the private information of any other user.
Critical information retrieved:
* APIKEY (1 year user Session)
* RefreshToken (10 minutes user Session)
* Password hashed with bcrypt
* User IP
* Email
* Full Name
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Data Illusion Zumbrunn | NGSurvey |
Affected:
0 , < 3.6.17
(Enterprise edition)
|
Credits
Thomas CLAIR
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13829",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-01T16:04:59.023926Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T16:05:31.290Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NGSurvey",
"vendor": "Data Illusion Zumbrunn",
"versions": [
{
"lessThan": "3.6.17",
"status": "affected",
"version": "0",
"versionType": "Enterprise edition"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thomas CLAIR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in Data Illusion Zumbrunn NGSurvey allows any logged-in user to obtain the private information of any other user.\u003cbr\u003e\u003cbr\u003e\n\n Critical information retrieved: \u003cbr\u003e\u003cul\u003e\u003cli\u003eAPIKEY (1 year user Session)\u003c/li\u003e\u003cli\u003eRefreshToken (10 minutes user Session)\u003c/li\u003e\u003cli\u003ePassword hashed with bcrypt\u003c/li\u003e\u003cli\u003eUser IP\u003c/li\u003e\u003cli\u003eEmail\u003c/li\u003e\u003cli\u003eFull Name\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "Incorrect Authorization vulnerability in Data Illusion Zumbrunn NGSurvey allows any logged-in user to obtain the private information of any other user.\n\n\n\n Critical information retrieved: \n * APIKEY (1 year user Session)\n * RefreshToken (10 minutes user Session)\n * Password hashed with bcrypt\n * User IP\n * Email\n * Full Name"
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/AU:Y",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T16:16:34.168Z",
"orgId": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"shortName": "TCS-CERT"
},
"references": [
{
"tags": [
"vendor-advisory",
"release-notes"
],
"url": "https://docs.ngsurvey.com/installation-setup/change-log#id-3.6.17-2025-05-28"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to 3.6.17 or higher"
}
],
"value": "Upgrade to 3.6.17 or higher"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "64c5ae8f-7972-4697-86a0-7ada793ac795",
"assignerShortName": "TCS-CERT",
"cveId": "CVE-2025-13829",
"datePublished": "2025-12-01T15:47:10.317Z",
"dateReserved": "2025-12-01T15:30:15.569Z",
"dateUpdated": "2025-12-01T16:16:34.168Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}