Description

A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. With this vulnerability, an attacker can upload executable files that are moved to a publicly accessible folder before verifying any requirements. This leads to the possibility of execution of code on the underlying system when the file is triggered. The vulnerability has been remediated in version 1.52.02.

Classification

CVE ID: CVE-2024-27115

CVSS Base Severity: CRITICAL

CVSS Base Score: 10.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:N/AU:Y/R:I/V:C/RE:M/U:Red

Affected Products

Vendor: Simple Online Planning

Product: SO Planning

Nuclei Template

http/cves/2024/CVE-2024-27115.yaml

Exploit Prediction Scoring System (EPSS)

EPSS Score: 79.33% (probability of being exploited)

EPSS Percentile: 99.02% (scored less or equal to compared to others)

EPSS Date: 2025-04-09 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: total

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-27115
https://csirt.divd.nl/CVE-2024-27115

Timeline