CVE-2024-33724

Vulnerability

Description SOPlanning version 1.52.00 is vulnerable to reflected cross-site scripting (XSS) in the process/groupe_save.php script. The groupe_id parameter is not sanitized before being reflected in the response, allowing an attacker to inject arbitrary JavaScript. The official description and exploit analysis confirm that the parameter escapes its context and comments out the rest of the code, enabling a valid reflected XSS attack [1].

Exploitation

An unauthenticated attacker can exploit this by crafting a malicious link containing the payload in the groupe_id parameter. The link, when visited by an authenticated user (including an administrator), triggers the XSS. For example, the payload "><script>alert('LiQUiDSKY')</script><!-- causes script execution on the target's browser without requiring authentication or special privileges [1].

Impact

Successful exploitation allows the attacker to perform actions on behalf of the victim, such as hijacking the session, stealing credentials, or taking over the entire platform. The exploit author notes that the attacker can gain control of an admin account and subsequently the whole SOPlanning installation [1].

Mitigation

As of the publication date, there is no official patch from the vendor. The application is no longer actively maintained. Users should consider applying input validation and output encoding to the groupe_id parameter, or upgrade to a different planning solution if continued use exposes sensitive data.