Vulnerabilities in SOPlanning software
ID: c27134d6-2a72-5c1d-852f-b9ab8b109927
STIX ID: report--c27134d6-2a72-5c1d-852f-b9ab8b109927
Feed Name: CERT Polska
CERT Polska published a coordinated disclosure of seven CVEs affecting SOPlanning (≤1.55). The issues include missing authorization allowing unauthenticated retrieval of backup archives containing user databases and password hashes; stored and reflected XSS enabling JavaScript execution in authenticated users' browsers; SQL injection across multiple endpoints that can lead to full database compromise; path traversal and unrestricted file upload which—when combined—can place and execute arbitrary files on the server; and CSRF vulnerabilities in group management endpoints. Together these vulnerabilities permit data exfiltration, account compromise, and potential remote code execution.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
