An unauthenticated Insecure Direct Object Reference (IDOR) to the database has been found in the SO Planning tool that occurs when the public view setting is enabled. An attacker could use this vulnerability to gain access to the underlying database by exporting it as a CSV file. The vulnerability has been remediated in version 1.52.02.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:C/RE:M/U:RedSoplanning
APPSoplanning< 1.52.02
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
IDOR
References
Related vulnerabilities
CVE-2024-57169CRITICAL9.8PL ✓ten sam produkt
SOPlanning 1.53.00 — ominięcie ograniczeń przesyłania plików prowadzące do RCE
CVE-2024-9574CRITICAL9.8PL ✓ten sam produkt
SQL Injection w SOPlanning — dostęp do całej bazy danych
CVE-2024-27115CRITICAL10.0PL ✓ten sam produkt
Nieuwierzytelniony RCE w SO Planning — nieograniczony upload plików
CVE-2024-27112CRITICAL9.3PL ✓ten sam produkt
SQL Injection w SO Planning — dostęp do bazy bez uwierzytelnienia
CVE-2020-13963CRITICAL9.8ten sam produkt
SOPlanning before 1.47 has Incorrect Access Control because certain secret key information, and the related au...