Vulnerabilities > Soplanning

DATE CVE VULNERABILITY TITLE RISK
2021-03-21 CVE-2020-13963 Use of Hard-coded Credentials vulnerability in Soplanning 1.45/1.46.01
SOPlanning before 1.47 has Incorrect Access Control because certain secret key information, and the related authentication algorithm, is public.
network
low complexity
soplanning CWE-798
critical
9.8
2020-10-07 CVE-2020-25867 Improper Authentication vulnerability in Soplanning
SoPlanning before 1.47 doesn't correctly check the security key used to publicly share plannings.
4.3
2020-08-11 CVE-2020-15597 Cross-site Scripting vulnerability in Soplanning
SOPlanning 1.46.01 allows persistent XSS via the Project Name, Statutes Comment, Places Comment, or Resources Comment field.
network
soplanning CWE-79
3.5
2020-02-22 CVE-2020-9339 Cross-site Scripting vulnerability in Soplanning 1.45
SOPlanning 1.45 allows XSS via the Name or Comment to status.php.
network
soplanning CWE-79
3.5
2020-02-22 CVE-2020-9338 Cross-site Scripting vulnerability in Soplanning 1.45
SOPlanning 1.45 allows XSS via the "Your SoPlanning url" field.
network
soplanning CWE-79
3.5
2020-02-18 CVE-2020-9269 SQL Injection vulnerability in Soplanning 1.45
SOPlanning 1.45 is vulnerable to authenticated SQL Injection that leads to command execution via the users parameter, as demonstrated by export_ical.php.
network
low complexity
soplanning CWE-89
critical
9.0
2020-02-18 CVE-2020-9268 SQL Injection vulnerability in Soplanning 1.45
SoPlanning 1.45 is vulnerable to SQL Injection in the OrderBy clause, as demonstrated by the projets.php?order=nom_createur&by= substring.
network
low complexity
soplanning CWE-89
5.0
2020-02-18 CVE-2020-9267 Cross-Site Request Forgery (CSRF) vulnerability in Soplanning 1.45
SOPlanning 1.45 is vulnerable to a CSRF attack that allows for arbitrary user creation via process/xajax_server.php.
4.3
2020-02-18 CVE-2020-9266 Cross-Site Request Forgery (CSRF) vulnerability in Soplanning 1.45
SOPlanning 1.45 is vulnerable to a CSRF attack that allows for arbitrary changing of the admin password via process/xajax_server.php.
4.3
2020-01-09 CVE-2019-20179 SQL Injection vulnerability in Soplanning
SOPlanning 1.45 has SQL injection via the user_list.php "by" parameter.
network
low complexity
soplanning CWE-89
8.8