Login Sign Up

CVE-2025-62296

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

SOPlanning versions before 1.55 contain a stored cross-site scripting (XSS) vulnerability in the /taches endpoint. Attackers with medium privileges can inject malicious HTML and JavaScript that executes when users open the editor, potentially compromising user sessions or performing unauthorized actions. This affects all SOPlanning deployments using vulnerable versions.

💻 Affected Systems

Products:
  • SOPlanning
Versions: All versions before 1.55
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires attacker to have medium privileges (authenticated access).

📦 What is this software?

Soplanning by Soplanning

View all CVEs affecting Soplanning →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, hijack user sessions, deface the application, or redirect users to malicious sites, potentially leading to full system compromise.

🟠

Likely Case

Attackers with medium privileges steal session cookies or credentials from other users, gaining unauthorized access to sensitive planning data.

🟢

If Mitigated

With proper input validation and output encoding, the attack would fail to execute malicious scripts, limiting impact to data integrity issues.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Stored XSS vulnerabilities are commonly exploited; requires authenticated access with medium privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.55

Vendor Advisory: https://www.soplanning.org/en/

Restart Required: Yes

Instructions:

1. Backup your SOPlanning installation and database. 2. Download version 1.55 from the official SOPlanning website. 3. Replace the existing installation files with the new version. 4. Restart your web server. 5. Verify the update was successful.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize HTML/JS in task data

Implement input sanitization in /taches endpoint code

Content Security Policy

all

Implement CSP headers to restrict script execution

Add 'Content-Security-Policy: script-src 'self'' to HTTP headers

🧯 If You Can't Patch

  • Restrict user privileges to minimum necessary, especially for /taches endpoint access
  • Implement web application firewall (WAF) rules to block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check if SOPlanning version is below 1.55 in admin panel or by examining version files

Check Version:

Check admin panel or examine includes/version.php file

Verify Fix Applied:

After updating to 1.55, test XSS payloads in /taches endpoint to confirm they are properly sanitized

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTML/JS patterns in task creation/modification logs
  • Multiple failed XSS attempts in web server logs

Network Indicators:

  • HTTP POST requests to /taches with script tags or JavaScript code

SIEM Query:

source="web_server" AND (uri="/taches" AND (body CONTAINS "<script>" OR body CONTAINS "javascript:"))

📊 Metadata

CVE ID: CVE-2025-62296
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.04% exploit probability (11.6th percentile)
Published: November 20, 2025
Last Updated: November 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-62296, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)