CVE-2025-13873 identifies a stored Cross-Site Scripting (XSS) vulnerability in ObjectPlanet Opinio version 7.26 rev12562, a web-based survey application. The vulnerability resides in the survey-import feature, where insufficient input neutralization allows an attacker to embed malicious JavaScript code into survey data. When a user accesses the compromised survey, the injected script executes within their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability is classified under CWE-79, highlighting improper neutralization of input during web page generation. The CVSS 4.0 vector indicates the attack can be performed remotely without authentication (AV:N), with low attack complexity (AC:L), but requires user interaction (UI:P) and high privileges (PR:H) to inject the payload. The impact on confidentiality and integrity is low, and no availability impact is noted. No patches or public exploits are currently available, but the vulnerability's presence in a widely used survey tool poses a risk for organizations relying on Opinio for data collection and analysis. Attackers with access to the import feature can leverage this flaw to compromise end users who view the infected surveys, potentially leading to broader network compromise or data leakage.

For European organizations, this vulnerability can lead to client-side attacks targeting employees, customers, or partners who access compromised surveys. The injection of malicious scripts can result in theft of session cookies, redirection to phishing sites, or execution of unauthorized commands within the user's browser context. This can undermine trust in survey data integrity and confidentiality, especially in sectors such as market research, healthcare, and public administration where Opinio is used. Although the vulnerability requires high privileges to inject malicious content, insider threats or compromised accounts could exploit it. The medium severity rating reflects limited direct impact on core systems but significant risk to user data and organizational reputation. Additionally, the lack of available patches increases the window of exposure. Organizations handling sensitive survey data or relying on Opinio for decision-making should consider this a moderate risk that could escalate if exploited in targeted campaigns.

To mitigate CVE-2025-13873, organizations should first restrict access to the survey-import feature to trusted administrators only, minimizing the risk of malicious input injection. Implement strict input validation and sanitization on all imported survey data to neutralize potentially harmful scripts before rendering. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Monitor survey content regularly for unexpected or suspicious code injections. If possible, upgrade to a patched version of ObjectPlanet Opinio once available. In the interim, consider isolating the survey application environment and limiting user privileges to reduce the impact of any successful exploitation. Educate users about the risks of interacting with untrusted survey content and encourage reporting of unusual behavior. Finally, maintain robust logging and alerting to detect attempts to exploit this vulnerability.