cbcvebase.

Soplanning vulnerabilities

40 known vulnerabilities affecting soplanning/soplanning.

Total CVEs
40
CISA KEV
0
Public exploits
6
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH8MEDIUM25

Vulnerabilities

Page 1 of 2
CVE-2024-27115P2CRITICALCVSS 9.8PoCfixed in 1.52.022024-09-11
CVE-2024-27115 [CRITICAL] CWE-434 CVE-2024-27115: A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online plann A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. With this vulnerability, an attacker can upload executable files that are moved to a publicly accessible folder before verifying any requirements. This leads to the possibility of execution of code on the underlying system when the file is
nvd
CVE-2014-8673P2CRITICALCVSS 9.8PoC≤ 1.322020-01-07
CVE-2014-8673 [CRITICAL] CWE-89 CVE-2014-8673: Multiple SQL vulnerabilities exist in planning.php, user_list.php, projets.php, user_groupes.php, an Multiple SQL vulnerabilities exist in planning.php, user_list.php, projets.php, user_groupes.php, and groupe_list.php in Simple Online Planning (SOPPlanning)before 1.33.
nvd
CVE-2014-8675P2HIGHCVSS 7.5PoC≤ 1.322017-08-31
CVE-2014-8675 [HIGH] CWE-200 CVE-2014-8675: Soplanning 1.32 and earlier generates static links for sharing ICAL calendars with embedded login in Soplanning 1.32 and earlier generates static links for sharing ICAL calendars with embedded login information, which allows remote attackers to obtain a calendar owner's password via a brute-force attack on the embedded password hash.
nvd
CVE-2014-8676P3MEDIUMCVSS 5.3PoC≤ 1.322017-08-31
CVE-2014-8676 [MEDIUM] CWE-22 CVE-2014-8676: Directory traversal vulnerability in the file_get_contents function in SOPlanning 1.32 and earlier a Directory traversal vulnerability in the file_get_contents function in SOPlanning 1.32 and earlier allows remote attackers to determine the existence of arbitrary files via a .. (dot dot) in a URL path parameter.
nvd
CVE-2024-27114P2CRITICALCVSS 9.8fixed in 1.52.022024-09-11
CVE-2024-27114 [CRITICAL] CWE-367 CVE-2024-27114: A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online plann A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. If the public view setting is enabled, a attacker can upload a PHP-file that will be available for execution for a few milliseconds before it is removed, leading to execution of code on the underlying system. The vulnerability has been rem
nvd
CVE-2024-27112P2CRITICALCVSS 9.8fixed in 1.52.022024-09-11
CVE-2024-27112 [CRITICAL] CWE-89 CVE-2024-27112: A unauthenticated SQL Injection has been found in the SO Planning tool that occurs when the public v A unauthenticated SQL Injection has been found in the SO Planning tool that occurs when the public view setting is enabled. An attacker could use this vulnerability to gain access to the underlying database. The vulnerability has been remediated in version 1.52.02.
nvd
CVE-2014-8677P3MEDIUMCVSS 5.3PoC≤ 1.322017-08-31
CVE-2014-8677 [MEDIUM] CWE-94 CVE-2014-8677: The installation process for SOPlanning 1.32 and earlier allows remote authenticated users with a pr The installation process for SOPlanning 1.32 and earlier allows remote authenticated users with a prepared database, and access to an existing database with a crafted name, or permissions to create arbitrary databases, or if PHP before 5.2 is being used, the configuration database is down, and smarty/templates_c is not writable to execute arbitrary php
nvd
CVE-2024-57169P2CRITICALCVSS 9.8v1.53.002025-03-18
CVE-2024-57169 [CRITICAL] CWE-434 CVE-2024-57169: A file upload bypass vulnerability exists in SOPlanning 1.53.00, specifically in /process/upload.php A file upload bypass vulnerability exists in SOPlanning 1.53.00, specifically in /process/upload.php. This vulnerability allows remote attackers to bypass upload restrictions and potentially achieve remote code execution by uploading malicious files.
nvd
CVE-2020-13963P3CRITICALCVSS 9.8≥ 1.45, < 1.472021-03-21
CVE-2020-13963 [CRITICAL] CWE-798 CVE-2020-13963: SOPlanning before 1.47 has Incorrect Access Control because certain secret key information, and the SOPlanning before 1.47 has Incorrect Access Control because certain secret key information, and the related authentication algorithm, is public. The key for admin is hardcoded in the installation code, and there is no key for publicsp (which is a guest account).
nvd
CVE-2024-27113P3CRITICALCVSS 9.8fixed in 1.52.022024-09-11
CVE-2024-27113 [CRITICAL] CWE-200 CVE-2024-27113: An unauthenticated Insecure Direct Object Reference (IDOR) to the database has been found in the SO An unauthenticated Insecure Direct Object Reference (IDOR) to the database has been found in the SO Planning tool that occurs when the public view setting is enabled. An attacker could use this vulnerability to gain access to the underlying database by exporting it as a CSV file. The vulnerability has been remediated in version 1.52.02.
nvd
CVE-2025-62730P3HIGHCVSS 8.8fixed in 1.55.00fixed in 1.552025-11-20
CVE-2025-62730 [HIGH] CWE-863 CVE-2025-62730: SOPlanning is vulnerable to Privilege Escalation in user management tab. Users with user_manage_team SOPlanning is vulnerable to Privilege Escalation in user management tab. Users with user_manage_team role are allowed to modify permissions of users. However, they are able to assign administrative permissions to any user including themselves. This allow a malicious authenticated attacker with this role to escalate to admin privileges. This issue affe
nvd
CVE-2026-40546P3HIGHCVSS 8.7≤ 1.552026-06-01
CVE-2026-40546 [HIGH] CWE-89 CVE-2026-40546: SOPlanning is vulnerable to SQL Injection across multiple endpoints and parameters. Attacker with lo SOPlanning is vulnerable to SQL Injection across multiple endpoints and parameters. Attacker with low privileges can inject arbitrary SQL commands, potentially gaining full control over the database. This issue affects SOPlanning version 1.55 and below.
nvd
CVE-2026-40543P3HIGHCVSS 8.8≤ 1.552026-06-01
CVE-2026-40543 [HIGH] CWE-862 CVE-2026-40543: SOPlanning does not enforce authorization for backup functionalities. An unauthenticated attacker ca SOPlanning does not enforce authorization for backup functionalities. An unauthenticated attacker can directly query backup-related endpoints and retrieve backup archives containing user databases with usernames and password hashes, as well as the config.csv file, which includes additional sensitive information. This issue affects SOPlanning version
nvd
CVE-2014-8674P4MEDIUMCVSS 5.4PoCfixed in 1.332020-01-06
CVE-2014-8674 [MEDIUM] CWE-79 CVE-2014-8674: Multiple Cross-Site Scripting (XSS) vulnerabilities exist in Simple Online Planning (SOPlanning) bef Multiple Cross-Site Scripting (XSS) vulnerabilities exist in Simple Online Planning (SOPlanning) before 1.33 via the document.cookie in nb_mois and mb_ligness and the debug GET parameter to export.php, which allows malicious users to execute arbitrary code.
nvd
CVE-2019-20179P3HIGHCVSS 8.8≤ 1.452020-01-09
CVE-2019-20179 [HIGH] CWE-89 CVE-2019-20179: SOPlanning 1.45 has SQL injection via the user_list.php "by" parameter. SOPlanning 1.45 has SQL injection via the user_list.php "by" parameter.
nvd
CVE-2020-9268P3HIGHCVSS 7.5v1.452020-02-18
CVE-2020-9268 [HIGH] CWE-89 CVE-2020-9268: SoPlanning 1.45 is vulnerable to SQL Injection in the OrderBy clause, as demonstrated by the projets SoPlanning 1.45 is vulnerable to SQL Injection in the OrderBy clause, as demonstrated by the projets.php?order=nom_createur&by= substring.
nvd
CVE-2025-62294P3HIGHCVSS 7.5fixed in 1.55.00fixed in 1.552025-11-20
CVE-2025-62294 [HIGH] CWE-340 CVE-2025-62294: SOPlanning is vulnerable to Predictable Generation of Password Recovery Token. Due to weak mechanism SOPlanning is vulnerable to Predictable Generation of Password Recovery Token. Due to weak mechanism of generating recovery tokens, a malicious attacker is able to brute-force all possible values and takeover any account in reasonable amount of time. This issue was fixed in version 1.55.
nvd
CVE-2024-9574P3MEDIUMCVSS 6.5fixed in 1.452024-10-07
CVE-2024-9574 [MEDIUM] CWE-89 CVE-2024-9574: SQL injection vulnerability in SOPlanning <1.45, via /soplanning/www/user_groupes.php in the by para SQL injection vulnerability in SOPlanning <1.45, via /soplanning/www/user_groupes.php in the by parameter, which could allow a remote user to submit a specially crafted query, allowing an attacker to retrieve all the information stored in the DB.
nvd
CVE-2024-9573P3MEDIUMCVSS 6.5fixed in 1.452024-10-07
CVE-2024-9573 [MEDIUM] CWE-89 CVE-2024-9573: SQL injection vulnerability in SOPlanning <1.45, through /soplanning/www/groupe_list.php, in the by SQL injection vulnerability in SOPlanning <1.45, through /soplanning/www/groupe_list.php, in the by parameter, which could allow a remote user to send a specially crafted query and extract all the information stored on the server.
nvd
CVE-2020-9269P3HIGHCVSS 7.2v1.452020-02-18
CVE-2020-9269 [HIGH] CWE-89 CVE-2020-9269: SOPlanning 1.45 is vulnerable to authenticated SQL Injection that leads to command execution via the SOPlanning 1.45 is vulnerable to authenticated SQL Injection that leads to command execution via the users parameter, as demonstrated by export_ical.php.
nvd
Soplanning vulnerabilities | cvebase