Vulnerabilities > Soplanning
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-03-21 | CVE-2020-13963 | Use of Hard-coded Credentials vulnerability in Soplanning 1.45/1.46.01 SOPlanning before 1.47 has Incorrect Access Control because certain secret key information, and the related authentication algorithm, is public. | 9.8 |
2020-10-07 | CVE-2020-25867 | Improper Authentication vulnerability in Soplanning SoPlanning before 1.47 doesn't correctly check the security key used to publicly share plannings. | 4.3 |
2020-08-11 | CVE-2020-15597 | Cross-site Scripting vulnerability in Soplanning SOPlanning 1.46.01 allows persistent XSS via the Project Name, Statutes Comment, Places Comment, or Resources Comment field. | 3.5 |
2020-02-22 | CVE-2020-9339 | Cross-site Scripting vulnerability in Soplanning 1.45 SOPlanning 1.45 allows XSS via the Name or Comment to status.php. | 3.5 |
2020-02-22 | CVE-2020-9338 | Cross-site Scripting vulnerability in Soplanning 1.45 SOPlanning 1.45 allows XSS via the "Your SoPlanning url" field. | 3.5 |
2020-02-18 | CVE-2020-9269 | SQL Injection vulnerability in Soplanning 1.45 SOPlanning 1.45 is vulnerable to authenticated SQL Injection that leads to command execution via the users parameter, as demonstrated by export_ical.php. | 9.0 |
2020-02-18 | CVE-2020-9268 | SQL Injection vulnerability in Soplanning 1.45 SoPlanning 1.45 is vulnerable to SQL Injection in the OrderBy clause, as demonstrated by the projets.php?order=nom_createur&by= substring. | 5.0 |
2020-02-18 | CVE-2020-9267 | Cross-Site Request Forgery (CSRF) vulnerability in Soplanning 1.45 SOPlanning 1.45 is vulnerable to a CSRF attack that allows for arbitrary user creation via process/xajax_server.php. | 4.3 |
2020-02-18 | CVE-2020-9266 | Cross-Site Request Forgery (CSRF) vulnerability in Soplanning 1.45 SOPlanning 1.45 is vulnerable to a CSRF attack that allows for arbitrary changing of the admin password via process/xajax_server.php. | 4.3 |
2020-01-09 | CVE-2019-20179 | SQL Injection vulnerability in Soplanning SOPlanning 1.45 has SQL injection via the user_list.php "by" parameter. | 8.8 |