CVE-2020-26806
HIGHObjectPlanet Opinio < 7.15 - Unauthenticated Remote Code Execution via JSP File Upload
Title source: llmDescription
admin/file.do in ObjectPlanet Opinio before 7.15 allows Unrestricted File Upload of executable JSP files, resulting in remote code execution, because filePath can have directory traversal and fileContent can be valid JSP code.
References (2)
Core 2
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://packetstormsecurity.com/files/163709/ObjectPlanet-Opinio-7.13-Shell-Upload.html
Release Notes, Vendor Advisory x_refsource_confirm
https://www.objectplanet.com/opinio/changelog.html
Scores
CVSS v3
8.8
EPSS
0.0597
EPSS Percentile
92.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-22
Status
published
Products (1)
objectplanet/opinio
< 7.15
Published
Jul 31, 2021
Tracked Since
Feb 18, 2026