CVE-2020-26564

Name of the Vulnerable Software and Affected Versions: ObjectPlanet Opinio versions prior to 7.15

Description: The issue allows XXE attacks through a three-step process: modifying a .css file to include <!ENTITY content, creating a .xml file for a generic survey template that links to this .css file, and importing this .xml file at the "survey/admin/folderSurvey.do?action=viewImportSurvey['importFile']" URI. The XXE can then be triggered at the "admin/preview.do?action=previewSurvey&surveyId=" URI.

Recommendations: For versions prior to 7.15, update to version 7.15 or later to resolve the issue. As a temporary workaround, consider restricting access to the "survey/admin/folderSurvey.do" and "admin/preview.do" endpoints until a patch is applied. Avoid using the importFile parameter in the affected API endpoint until the issue is resolved.