CVE-2024-9573 – This SQL injection vulnerability in SOPlanning ... (How to Fix)

Q: How do I fix CVE-2024-9573?

1. Download SOPlanning version 1.45 or later from the official source. 2. Backup your current installation and database. 3. Replace the existing files with the patched version. 4. Restart the web server service.

Q: What is the severity of CVE-2024-9573?

CVE-2024-9573 has a CVSS score of 6.3 (MEDIUM). This SQL injection vulnerability in SOPlanning versions before 1.45 allows remote attackers to execute arbitrary SQL queries through the 'by' parameter in groupe_list.php. This could enable extraction of all database information including user credentials, planning data, and system information. Organizations using SOPlanning versions <1.45 are affected.

📋 TL;DR

This SQL injection vulnerability in SOPlanning versions before 1.45 allows remote attackers to execute arbitrary SQL queries through the 'by' parameter in groupe_list.php. This could enable extraction of all database information including user credentials, planning data, and system information. Organizations using SOPlanning versions <1.45 are affected.

💻 Affected Systems

Products:

SOPlanning

Versions: All versions < 1.45

Operating Systems: All platforms running SOPlanning

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation and requires no special configuration to be exploitable.

📦 What is this software?

Soplanning by Soplanning

View all CVEs affecting Soplanning →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data exfiltration, credential theft, potential lateral movement to other systems, and full application control.

🟠

Likely Case

Extraction of sensitive planning data, user information, and potential privilege escalation within the SOPlanning application.

🟢

If Mitigated

Limited to read-only data extraction if proper input validation and parameterized queries are implemented.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is accessible remotely without authentication, making it easily exploitable from the internet.

🏢 Internal Only: HIGH - Even internal attackers could exploit this to gain unauthorized access to sensitive planning data and user information.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities are well-understood attack vectors with many available tools and techniques for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.45

Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-soplanning

Restart Required: Yes

Instructions:

1. Download SOPlanning version 1.45 or later from the official source. 2. Backup your current installation and database. 3. Replace the existing files with the patched version. 4. Restart the web server service.

🔧 Temporary Workarounds

Web Application Firewall (WAF) Rules

all

Implement WAF rules to block SQL injection patterns in the 'by' parameter

WAF-specific configuration commands vary by vendor

Input Validation Filter

all

Add input validation to filter SQL keywords from the 'by' parameter

Modify /soplanning/www/groupe_list.php to sanitize the 'by' parameter input

🧯 If You Can't Patch

Block external access to /soplanning/www/groupe_list.php using firewall rules or web server configuration
Implement strict network segmentation to isolate the SOPlanning server from sensitive systems

🔍 How to Verify

Check if Vulnerable:

Check if SOPlanning version is below 1.45 by examining the application version in the interface or checking the installation files

Check Version:

Check the SOPlanning interface or examine the application files for version information

Verify Fix Applied:

Verify the version has been updated to 1.45 or later and test the vulnerable endpoint with safe SQL injection test payloads

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in application logs
Multiple requests to groupe_list.php with SQL keywords in parameters
Database error messages containing SQL syntax

Network Indicators:

HTTP requests to /soplanning/www/groupe_list.php containing SQL injection patterns in the 'by' parameter

SIEM Query:

source="web_server_logs" AND uri="/soplanning/www/groupe_list.php" AND (param="by" AND value CONTAINS "UNION" OR value CONTAINS "SELECT" OR value CONTAINS "OR 1=1")

📊 Metadata

CVE ID: CVE-2024-9573

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CWE: CWE-89

Published: October 7, 2024

Last Updated: October 8, 2024

🔗 References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-soplanning Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9573, you might also want to check these: