📦 Soplanning

This SQL injection vulnerability in SOPlanning versions before 1.45 allows remote attackers to execute arbitrary SQL queries through the 'by' parameter in the user_groupes.php endpoint. Attackers can ...

CVE-2024-27114 is an unauthenticated remote code execution vulnerability in SO Planning online planning tool. Attackers can upload PHP files that execute for milliseconds before deletion when public v...

An unauthenticated SQL injection vulnerability exists in SO Planning tool when public view is enabled, allowing attackers to execute arbitrary SQL commands on the database. This affects all organizati...

SOPlanning users with the user_manage_team role can assign administrative permissions to any user, including themselves, allowing privilege escalation to admin. This affects both Bulk Update and regul...

SOPlanning's password recovery token generation uses predictable values, allowing attackers to brute-force tokens and hijack any user account. This affects all SOPlanning installations before version ...

SOPlanning's public holidays feature contains a stored cross-site scripting vulnerability that allows attackers with access to the feature to inject malicious HTML/JavaScript. When users view affected...

SOPlanning versions before 1.55 have a broken access control vulnerability in the /status endpoint that allows authenticated attackers to manipulate project statuses without proper authorization. This...

SOPlanning versions before 1.55 contain a stored cross-site scripting (XSS) vulnerability in the /groupe_form endpoint. Attackers with medium privileges can inject malicious HTML and JavaScript that e...

SOPlanning versions before 1.55 contain a stored cross-site scripting (XSS) vulnerability in the /taches endpoint. Attackers with medium privileges can inject malicious HTML and JavaScript that execut...

SOPlanning web application is vulnerable to stored cross-site scripting (XSS) in the /projets endpoint. An attacker with medium privileges can inject malicious HTML and JavaScript that executes when o...

SOPlanning web application is vulnerable to stored cross-site scripting (XSS) in the /status endpoint. An authenticated attacker can inject malicious HTML and JavaScript that executes when other users...

SOPlanning 1.53.00 has a directory traversal vulnerability in the upload.php file that allows authenticated attackers to delete arbitrary files by manipulating the 'fichier_to_delete' parameter with p...

This SQL injection vulnerability in SOPlanning versions before 1.45 allows remote attackers to execute arbitrary SQL queries through the 'by' parameter in groupe_list.php. This could enable extraction...

A Cross-Site Scripting (XSS) vulnerability in SOPlanning versions before 1.45 allows remote attackers to inject malicious scripts via the /soplanning/www/process/xajax_server.php endpoint. This could ...