Vulnerabilities > CVE-2020-26565 - Expression Language Injection vulnerability in Objectplanet Opinio

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

objectplanet

CWE-917

NVD

Published: 2021-07-31

Updated: 2021-08-10

Summary

ObjectPlanet Opinio before 7.14 allows Expression Language Injection via the admin/permissionList.do from parameter. This can be used to retrieve possibly sensitive serverInfo data.

Vulnerable Configurations

Part	Description	Count
Application	Objectplanet Objectplanet Opinio 4.0 Objectplanet Opinio 4.0.1 Objectplanet Opinio 4.0.2 Objectplanet Opinio 4.1 Objectplanet Opinio 4.1.1 Objectplanet Opinio 4.1.2 Objectplanet Opinio 4.1.3 Objectplanet Opinio 4.1.4 Objectplanet Opinio 4.2 Objectplanet Opinio 4.2.1 Objectplanet Opinio 4.2.2 Objectplanet Opinio 4.3 Objectplanet Opinio 4.3.1 Objectplanet Opinio 4.3.2 Objectplanet Opinio 4.3.3 Objectplanet Opinio 4.3.4 Objectplanet Opinio 4.3.5 Objectplanet Opinio 4.3.6 Objectplanet Opinio 4.3.7 Objectplanet Opinio 4.3.8 Objectplanet Opinio 4.3.9 Objectplanet Opinio 4.3.10 Objectplanet Opinio 4.3.11 Objectplanet Opinio 5.0 Objectplanet Opinio 5.01 Objectplanet Opinio 5.1 Objectplanet Opinio 5.02 Objectplanet Opinio 5.2 Objectplanet Opinio 5.2.1 Objectplanet Opinio 5.2.2 Objectplanet Opinio 5.2.3 Objectplanet Opinio 5.2.4 Objectplanet Opinio 5.2.5 Objectplanet Opinio 5.2.6 Objectplanet Opinio 5.2.7 Objectplanet Opinio 5.2.8 Objectplanet Opinio 5.2.9 Objectplanet Opinio 5.2.10 Objectplanet Opinio 5.2.11 Objectplanet Opinio 5.2.12 Objectplanet Opinio 6.0 Objectplanet Opinio 6.0.1 Objectplanet Opinio 6.0.2 Objectplanet Opinio 6.0.3 Objectplanet Opinio 6.0.4 Objectplanet Opinio 6.0.5 Objectplanet Opinio 6.0.6 Objectplanet Opinio 6.0.7 Objectplanet Opinio 6.0.8 Objectplanet Opinio 6.1 Objectplanet Opinio 6.2.1 Objectplanet Opinio 6.2.2 Objectplanet Opinio 6.3 Objectplanet Opinio 6.3.1 Objectplanet Opinio 6.3.2 Objectplanet Opinio 6.3.3 Objectplanet Opinio 6.4 Objectplanet Opinio 6.4.1 Objectplanet Opinio 6.4.2 Objectplanet Opinio 6.4.3 Objectplanet Opinio 6.4.4 Objectplanet Opinio 6.5 Objectplanet Opinio 6.5.1 Objectplanet Opinio 6.6 Objectplanet Opinio 6.6.1 Objectplanet Opinio 6.6.2 Objectplanet Opinio 6.6.3 Objectplanet Opinio 6.7 Objectplanet Opinio 6.7.1 Objectplanet Opinio 6.7.2 Objectplanet Opinio 6.8 Objectplanet Opinio 6.8.1 Objectplanet Opinio 6.8.2 Objectplanet Opinio 6.9 Objectplanet Opinio 6.9.1 Objectplanet Opinio 7.0 Objectplanet Opinio 7.1 Objectplanet Opinio 7.1.1 Objectplanet Opinio 7.1.2 Objectplanet Opinio 7.2 Objectplanet Opinio 7.2.1 Objectplanet Opinio 7.3 Objectplanet Opinio 7.4 Objectplanet Opinio 7.4.1 Objectplanet Opinio 7.4.2 Objectplanet Opinio 7.4.3 Objectplanet Opinio 7.5 Objectplanet Opinio 7.6 Objectplanet Opinio 7.6.1 Objectplanet Opinio 7.6.2 Objectplanet Opinio 7.6.3 Objectplanet Opinio 7.6.4 Objectplanet Opinio 7.6.5 Objectplanet Opinio 7.7 Objectplanet Opinio 7.7.1 Objectplanet Opinio 7.7.2 Objectplanet Opinio 7.8 Objectplanet Opinio 7.9 Objectplanet Opinio 7.9.1 Objectplanet Opinio 7.10 Objectplanet Opinio 7.11 Objectplanet Opinio 7.12 Objectplanet Opinio 7.13	120

Common Weakness Enumeration (CWE)

CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References