CVE-2024-27113: Insecure Direct Object Reference to export Database in SOPlanning before 1.52.02

9.3 CVSS

Description

An unauthenticated Insecure Direct Object Reference (IDOR) to the database has been found in the SO Planning tool that occurs when the public view setting is enabled. An attacker could use this vulnerability to gain access to the underlying database by exporting it as a CSV file. The vulnerability has been remediated in version 1.52.02.

Classification

CVE ID: CVE-2024-27113

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.3

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/S:N/AU:Y/R:A/V:C/RE:M/U:Red

Problem Types

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Affected Products

Vendor: Simple Online Planning

Product: SO Planning

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.14% (probability of being exploited)

EPSS Percentile: 31.35% (scored less or equal to compared to others)

EPSS Date: 2025-04-09 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: total

SSVC Automatable: true

References

https://nvd.nist.gov/vuln/detail/CVE-2024-27113
https://csirt.divd.nl/CVE-2024-27113

Timeline

2025-03-11 14:40:21 UTC
CVE

Insecure Direct Object Reference to export Database in SOPlanning before 1.52.02