Vulnerabilities > Soplanning > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-10-07 | CVE-2024-9571 | Cross-site Scripting vulnerability in Soplanning Cross-Site Scripting (XSS) vulnerability in SOPlanning <1.45, due to lack of proper validation of user input via /soplanning/www/process/xajax_server.php, affecting multiple parameters. | 5.4 |
| 2024-10-07 | CVE-2024-9572 | Cross-site Scripting vulnerability in Soplanning Cross-Site Scripting (XSS) vulnerability in SOPlanning <1.45, due to lack of proper validation of user input via /soplanning/www/process/groupe_save.php, in the groupe_id parameter. | 5.4 |
| 2024-10-07 | CVE-2024-9573 | SQL Injection vulnerability in Soplanning SQL injection vulnerability in SOPlanning <1.45, through /soplanning/www/groupe_list.php, in the by parameter, which could allow a remote user to send a specially crafted query and extract all the information stored on the server. | 6.5 |
| 2024-10-07 | CVE-2024-9574 | SQL Injection vulnerability in Soplanning SQL injection vulnerability in SOPlanning <1.45, via /soplanning/www/user_groupes.php in the by parameter, which could allow a remote user to submit a specially crafted query, allowing an attacker to retrieve all the information stored in the DB. | 6.5 |
| 2020-10-07 | CVE-2020-25867 | Improper Authentication vulnerability in Soplanning SoPlanning before 1.47 doesn't correctly check the security key used to publicly share plannings. | 4.3 |
| 2020-02-18 | CVE-2020-9268 | SQL Injection vulnerability in Soplanning 1.45 SoPlanning 1.45 is vulnerable to SQL Injection in the OrderBy clause, as demonstrated by the projets.php?order=nom_createur&by= substring. | 5.0 |
| 2020-02-18 | CVE-2020-9267 | Cross-Site Request Forgery (CSRF) vulnerability in Soplanning 1.45 SOPlanning 1.45 is vulnerable to a CSRF attack that allows for arbitrary user creation via process/xajax_server.php. | 4.3 |
| 2020-02-18 | CVE-2020-9266 | Cross-Site Request Forgery (CSRF) vulnerability in Soplanning 1.45 SOPlanning 1.45 is vulnerable to a CSRF attack that allows for arbitrary changing of the admin password via process/xajax_server.php. | 4.3 |
| 2017-08-31 | CVE-2014-8676 | Path Traversal vulnerability in Soplanning Directory traversal vulnerability in the file_get_contents function in SOPlanning 1.32 and earlier allows remote attackers to determine the existence of arbitrary files via a .. | 5.0 |
| 2017-08-31 | CVE-2014-8675 | Information Exposure vulnerability in Soplanning Soplanning 1.32 and earlier generates static links for sharing ICAL calendars with embedded login information, which allows remote attackers to obtain a calendar owner's password via a brute-force attack on the embedded password hash. | 5.0 |