CVE-2024-33722

Vulnerability

Overview CVE-2024-33722 is an authenticated SQL injection vulnerability in SOPlanning version 1.52.00. The flaw exists in the projets.php page where the statut[] parameter is not properly sanitized before being used in SQL queries. This allows an attacker with valid credentials to inject arbitrary SQL commands.

Exploitation

Details To exploit this vulnerability, an attacker must first authenticate to the SOPlanning instance. Once authenticated, they can send a crafted GET or POST request to /www/projets.php with a malicious statut[] parameter. The injected SQL payload is executed against the backend database, enabling data retrieval or modification. The exploit does not require any special privileges beyond standard user authentication [1].

Impact

Successful exploitation allows an authenticated attacker to extract sensitive information from the database, such as user credentials, session data, and other application secrets. This can lead to privilege escalation, account takeover, or full compromise of the SOPlanning platform. The attacker may also be able to modify or delete data, depending on the database permissions.

Mitigation

Status As of the publication date, no official patch has been released by the vendor. Users are advised to restrict network access to the application, apply strong authentication mechanisms, and monitor logs for suspicious activity. Until a fix is available, input validation and parameterized queries should be implemented as a workaround.