Product
soplanning
34 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2025-62731
CVE-2025-62730
CVE-2025-62729
CVE-2025-62297
CVE-2025-62296
CVE-2025-62295
CVE-2025-62294
CVE-2025-62293
CVE-2025-41001
CVE-2024-57170
CVE-2024-57169
CVE-2024-9574
CVE-2024-9573
CVE-2024-9572
CVE-2024-9571
CVE-2024-27115
CVE-2024-27114
CVE-2024-27113
CVE-2024-27112
CVE-2020-13963
CVE-2020-25867
CVE-2020-15597
CVE-2020-9339
CVE-2020-9338
CVE-2020-9269
CVE-2020-9268
CVE-2020-9267
CVE-2020-9266
CVE-2019-20179
CVE-2014-8673
CVE-2014-8674
CVE-2014-8677
CVE-2014-8676
CVE-2014-8675
< 1.55.00
SOPlanning is vulnerable to Stored XSS in /feries endpoint. Malicious attacker with access to public holidays feature is able to
< 1.55.00
SOPlanning is vulnerable to Privilege Escalation in user management tab. Users with user_manage_team role are allowed to modify pe
< 1.55.00
SOPlanning is vulnerable to Stored XSS in /status endpoint. Malicious attacker with an account can inject arbitrary HTML and JS i
< 1.55.00
SOPlanning is vulnerable to Stored XSS in /projets endpoint. Malicious attacker with medium privileges can inject arbitrary HTML
< 1.55.00
SOPlanning is vulnerable to Stored XSS in /taches endpoint. Malicious attacker with medium privileges can inject arbitrary HTML a
< 1.55.00
SOPlanning is vulnerable to Stored XSS in /groupe_form endpoint. Malicious attacker with medium privileges can inject arbitrary H
< 1.55.00
SOPlanning is vulnerable to Predictable Generation of Password Recovery Token. Due to weak mechanism of generating recovery tokens
< 1.55.00
SOPlanning is vulnerable to Broken Access Control in /status endpoint. Due to lack of permission checks in Project Status functio
all versions
Cross Site Scripting (XSS) vulnerability stored in SOPlanning v1.53.02, which consist of a stored XSS due to a lack of proper vali
all versions
SOPlanning 1.53.00 is vulnerable to a directory traversal issue in /process/upload.php. The "fichier_to_delete" parameter allows a
all versions
A file upload bypass vulnerability exists in SOPlanning 1.53.00, specifically in /process/upload.php. This vulnerability allows re
< 1.45
SQL injection vulnerability in SOPlanning <1.45, via /soplanning/www/user_groupes.php in the by parameter, which could allow a rem
< 1.45
SQL injection vulnerability in SOPlanning <1.45, through /soplanning/www/groupe_list.php, in the by parameter, which could allow a
< 1.45
Cross-Site Scripting (XSS) vulnerability in SOPlanning <1.45, due to lack of proper validation of user input via /soplanning/www/p
< 1.45
Cross-Site Scripting (XSS) vulnerability in SOPlanning <1.45, due to lack of proper validation of user input via /soplanning/www/p
< 1.52.02
A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. With this vulnerabil
< 1.52.02
A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. If the public view s
< 1.52.02
An unauthenticated Insecure Direct Object Reference (IDOR) to the database has been found in the SO Planning tool that occurs when
< 1.52.02
A unauthenticated SQL Injection has been found in the SO Planning tool that occurs when the public view setting is enabled. An att
>= 1.45 and < 1.47
SOPlanning before 1.47 has Incorrect Access Control because certain secret key information, and the related authentication algorit
< 1.47
SoPlanning before 1.47 doesn't correctly check the security key used to publicly share plannings. It allows a bypass to get access
<= 1.46.01
SOPlanning 1.46.01 allows persistent XSS via the Project Name, Statutes Comment, Places Comment, or Resources Comment field.
all versions
SOPlanning 1.45 allows XSS via the Name or Comment to status.php.
all versions
SOPlanning 1.45 allows XSS via the "Your SoPlanning url" field.
all versions
SOPlanning 1.45 is vulnerable to authenticated SQL Injection that leads to command execution via the users parameter, as demonstra
all versions
SoPlanning 1.45 is vulnerable to SQL Injection in the OrderBy clause, as demonstrated by the projets.php?order=nom_createur&by= su
all versions
SOPlanning 1.45 is vulnerable to a CSRF attack that allows for arbitrary user creation via process/xajax_server.php.
all versions
SOPlanning 1.45 is vulnerable to a CSRF attack that allows for arbitrary changing of the admin password via process/xajax_server.p
<= 1.45
SOPlanning 1.45 has SQL injection via the user_list.php "by" parameter.
<= 1.32
Multiple SQL vulnerabilities exist in planning.php, user_list.php, projets.php, user_groupes.php, and groupe_list.php in Simple On
< 1.33
Multiple Cross-Site Scripting (XSS) vulnerabilities exist in Simple Online Planning (SOPlanning) before 1.33 via the document.cook
<= 1.32
The installation process for SOPlanning 1.32 and earlier allows remote authenticated users with a prepared database, and access to
<= 1.32
Directory traversal vulnerability in the file_get_contents function in SOPlanning 1.32 and earlier allows remote attackers to dete
<= 1.32
Soplanning 1.32 and earlier generates static links for sharing ICAL calendars with embedded login information, which allows remote