CRITICAL🇵🇱 Wersja polska

CVE-2023-4472

CVSS 9.8v3.1pub. 2024-02-01upd. 2025-06-11

Objectplanet Opinio version 7.22 and prior uses a cryptographically weak pseudo-random number generator (PRNG) coupled to a predictable seed, which could lead to an unauthenticated account takeover of any user on the application.

🤖 AI Analysis
How it works

The application generates tokens (e.g., for password reset or session) using a PRNG that does not meet cryptographic requirements and is initialized with a predictable seed. An attacker, knowing or guessing the seed value, is able to reproduce the sequence of generated tokens. By possessing a predictable token, they can perform account takeover without having any login credentials.

Impact

An unauthenticated attacker can take control of any user account in the application, gaining full access to their data and functions. As a result, it is possible to compromise the confidentiality, integrity, and availability of data processed by the survey system.

Mitigation & patch

Objectplanet Opinio should be updated to a version newer than 7.22, in which the vendor has removed the vulnerability. Patch details are available in the vendor's changelog at: https://www.objectplanet.com/opinio/changelog.html

Who is affected

Objectplanet Opinio version 7.22 and all earlier versions

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Objectplanet Opinio

    APP
    Objectplanet
    < 7.23
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2020-26565HIGH7.5ten sam produkt

ObjectPlanet Opinio before 7.14 allows Expression Language Injection via the admin/permissionList.do from para...

CVE-2020-26806HIGH8.8ten sam produkt

admin/file.do in ObjectPlanet Opinio before 7.15 allows Unrestricted File Upload of executable JSP files, resu...

CVE-2025-13873MEDIUM4.8ten sam produkt

Stored Cross-Site Scripting (XSS) in the survey-import feature of ObjectPlanet Opinio 7.26 rev12562 on web app...

CVE-2020-26564MEDIUM6.5ten sam produkt

ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have <!ENTITY conten...

CVE-2020-26563MEDIUM6.1ten sam produkt

ObjectPlanet Opinio before 7.14 allows reflected XSS via the survey/admin/surveyAdmin.do?action=viewSurveyAdmi...