Vendor
Soplanning
Products
1
CVEs
16
Across products
16
Status
Private
Products
1- 16 CVEs
Recent CVEs
16| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2014-8675 | Hig | 0.55 | 7.5 | 0.36 | Aug 31, 2017 | Soplanning 1.32 and earlier generates static links for sharing ICAL calendars with embedded login information, which allows remote attackers to obtain a calendar owner's password via a brute-force attack on the embedded password hash. | |
| CVE-2014-8676 | Med | 0.44 | 5.3 | 0.82 | Aug 31, 2017 | Directory traversal vulnerability in the file_get_contents function in SOPlanning 1.32 and earlier allows remote attackers to determine the existence of arbitrary files via a .. (dot dot) in a URL path parameter. | |
| CVE-2014-8677 | Med | 0.38 | 5.3 | 0.03 | Aug 31, 2017 | The installation process for SOPlanning 1.32 and earlier allows remote authenticated users with a prepared database, and access to an existing database with a crafted name, or permissions to create arbitrary databases, or if PHP before 5.2 is being used, the configuration database is down, and smarty/templates_c is not writable to execute arbitrary php code via a crafted database name. | |
| CVE-2025-62731 | 0.00 | — | 0.00 | Nov 20, 2025 | SOPlanning is vulnerable to Stored XSS in /feries endpoint. Malicious attacker with access to public holidays feature is able to inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. By default only administrators and users with special privileges are able to access this endpoint. This issue was fixed in version 1.55. | ||
| CVE-2025-62730 | 0.00 | — | 0.00 | Nov 20, 2025 | SOPlanning is vulnerable to Privilege Escalation in user management tab. Users with user_manage_team role are allowed to modify permissions of users. However, they are able to assign administrative permissions to any user including themselves. This allow a malicious authenticated attacker with this role to escalate to admin privileges. This issue affects both Bulk Update functionality and regular edition of user's right and privileges. This issue was fixed in version 1.55. | ||
| CVE-2025-62729 | 0.00 | — | 0.00 | Nov 20, 2025 | SOPlanning is vulnerable to Stored XSS in /status endpoint. Malicious attacker with an account can inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. This issue was fixed in version 1.55. | ||
| CVE-2025-62297 | 0.00 | — | 0.00 | Nov 20, 2025 | SOPlanning is vulnerable to Stored XSS in /projets endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening edited page. This issue was fixed in version 1.55. | ||
| CVE-2025-62296 | 0.00 | — | 0.00 | Nov 20, 2025 | SOPlanning is vulnerable to Stored XSS in /taches endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor. This issue was fixed in version 1.55. | ||
| CVE-2025-62295 | 0.00 | — | 0.00 | Nov 20, 2025 | SOPlanning is vulnerable to Stored XSS in /groupe_form endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor. This issue was fixed in version 1.55. | ||
| CVE-2025-62294 | 0.00 | — | 0.00 | Nov 20, 2025 | SOPlanning is vulnerable to Predictable Generation of Password Recovery Token. Due to weak mechanism of generating recovery tokens, a malicious attacker is able to brute-force all possible values and takeover any account in reasonable amount of time. This issue was fixed in version 1.55. | ||
| CVE-2025-62293 | 0.00 | — | 0.00 | Nov 20, 2025 | SOPlanning is vulnerable to Broken Access Control in /status endpoint. Due to lack of permission checks in Project Status functionality an authenticated attacker is able to add, edit and delete any status. This issue was fixed in version 1.55. | ||
| CVE-2025-41001 | 0.00 | — | 0.00 | Nov 10, 2025 | Cross Site Scripting (XSS) vulnerability stored in SOPlanning v1.53.02, which consist of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'LOGOUT_REDIRECT' parameter in '/soplanning/www/process/options.php'. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details. | ||
| CVE-2024-9574 | 0.00 | — | 0.00 | Oct 7, 2024 | SQL injection vulnerability in SOPlanning <1.45, via /soplanning/www/user_groupes.php in the by parameter, which could allow a remote user to submit a specially crafted query, allowing an attacker to retrieve all the information stored in the DB. | ||
| CVE-2024-9573 | 0.00 | — | 0.00 | Oct 7, 2024 | SQL injection vulnerability in SOPlanning <1.45, through /soplanning/www/groupe_list.php, in the by parameter, which could allow a remote user to send a specially crafted query and extract all the information stored on the server. | ||
| CVE-2024-9572 | 0.00 | — | 0.00 | Oct 7, 2024 | Cross-Site Scripting (XSS) vulnerability in SOPlanning <1.45, due to lack of proper validation of user input via /soplanning/www/process/groupe_save.php, in the groupe_id parameter. This could allow a remote user to send a specially crafted query to an authenticated user and steal their session details. | ||
| CVE-2024-9571 | 0.00 | — | 0.00 | Oct 7, 2024 | Cross-Site Scripting (XSS) vulnerability in SOPlanning <1.45, due to lack of proper validation of user input via /soplanning/www/process/xajax_server.php, affecting multiple parameters. This could allow a remote user to send a specially crafted query to an authenticated user and partially take control of their browser session. |