A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. With this vulnerability, an attacker can upload executable files that are moved to a publicly accessible folder before verifying any requirements. This leads to the possibility of execution of code on the underlying system when the file is triggered. The vulnerability has been remediated in version 1.52.02.
The vulnerability results from a lack of verification requirements before transferring an uploaded file to a publicly accessible folder (CWE-434 — unrestricted upload of file with dangerous type). An attacker can send a malicious executable file directly to the application without authentication. The file is placed in a publicly accessible directory before any validation is performed. Then it is enough to call the URL pointing to this file to cause code execution on the server.
An attacker without any privileges can execute arbitrary code on the server hosting the SO Planning application, which in practice means complete takeover of the operating system and potentially other resources on the network.
SO Planning should be updated to version 1.52.02 or newer, in which the vulnerability has been fixed by the vendor. As a temporary measure, it is worth considering restricting network access to the application only to trusted IP addresses.
SO Planning (Soplanning) in versions prior to 1.52.02
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:I/V:C/RE:M/U:RedSoplanning
APPSoplanning< 1.52.02
Related vulnerabilities
SOPlanning 1.53.00 — ominięcie ograniczeń przesyłania plików prowadzące do RCE
SQL Injection w SOPlanning — dostęp do całej bazy danych
IDOR w SO Planning umożliwia nieuwierzytelniony eksport bazy danych
SQL Injection w SO Planning — dostęp do bazy bez uwierzytelnienia
SOPlanning before 1.47 has Incorrect Access Control because certain secret key information, and the related au...