HIGH🇵🇱 Wersja polska

CVE-2020-26806

CVSS 8.8v3.1pub. 2021-07-31upd. 2024-11-21

admin/file.do in ObjectPlanet Opinio before 7.15 allows Unrestricted File Upload of executable JSP files, resulting in remote code execution, because filePath can have directory traversal and fileContent can be valid JSP code.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Objectplanet Opinio

    APP
    Objectplanet
    < 7.15
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEPath Traversal
CWE
References

Related vulnerabilities

CVE-2023-4472CRITICAL9.8PL ✓ten sam produkt

Objectplanet Opinio — przejęcie konta przez słaby PRNG z przewidywalnym ziarnem

CVE-2020-26565HIGH7.5ten sam produkt

ObjectPlanet Opinio before 7.14 allows Expression Language Injection via the admin/permissionList.do from para...

CVE-2025-13873MEDIUM4.8ten sam produkt

Stored Cross-Site Scripting (XSS) in the survey-import feature of ObjectPlanet Opinio 7.26 rev12562 on web app...

CVE-2020-26564MEDIUM6.5ten sam produkt

ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have <!ENTITY conten...

CVE-2020-26563MEDIUM6.1ten sam produkt

ObjectPlanet Opinio before 7.14 allows reflected XSS via the survey/admin/surveyAdmin.do?action=viewSurveyAdmi...