CVE-2024-27112: SQL Injection in SOPlanning before 1.52.02

9.3 CVSS

Description

A unauthenticated SQL Injection has been found in the SO Planning tool that occurs when the public view setting is enabled. An attacker could use this vulnerability to gain access to the underlying database. The vulnerability has been remediated in version 1.52.02.

Classification

CVE ID: CVE-2024-27112

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.3

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/S:N/AU:Y/R:U/V:C/RE:M/U:Red

Problem Types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Affected Products

Vendor: Simple Online Planning

Product: SO Planning

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.12% (probability of being exploited)

EPSS Percentile: 27.46% (scored less or equal to compared to others)

EPSS Date: 2025-04-09 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: total

SSVC Automatable: true

References

https://nvd.nist.gov/vuln/detail/CVE-2024-27112
https://csirt.divd.nl/CVE-2024-27112

Timeline

2025-03-11 14:40:20 UTC
CVE

SQL Injection in SOPlanning before 1.52.02