CRITICAL🇵🇱 Wersja polska

CVE-2024-57169

CVSS 9.8v3.1pub. 2025-03-18upd. 2025-04-02

A file upload bypass vulnerability exists in SOPlanning 1.53.00, specifically in /process/upload.php. This vulnerability allows remote attackers to bypass upload restrictions and potentially achieve remote code execution by uploading malicious files.

🤖 AI Analysis
How it works

The attacker sends a crafted request to the /process/upload.php endpoint, bypassing the restrictions applied by the application regarding allowed file types or extensions (CWE-434: Unrestricted Upload of File with Dangerous Type). As a result of successfully bypassing the filters, it is possible to upload a malicious file, such as a server-side executable script. After placing the file on the server, the attacker can cause its execution and take control of the system.

Impact

An attacker can gain the ability to execute arbitrary code remotely (RCE) on the server hosting the SOPlanning application, which may result in full system takeover, data leakage, and violation of service integrity and availability.

Mitigation & patch

Apply patches available from the vendor according to the references. Until the update is applied, it is recommended to restrict network access to the /process/upload.php endpoint and implement additional file upload control mechanisms at the web server level or application firewall (WAF).

Who is affected

SOPlanning version 1.53.00

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Soplanning

    APP
    Soplanning
    1.53.00
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2024-9574CRITICAL9.8PL ✓ten sam produkt

SQL Injection w SOPlanning — dostęp do całej bazy danych

CVE-2024-27113CRITICAL9.3PL ✓ten sam produkt

IDOR w SO Planning umożliwia nieuwierzytelniony eksport bazy danych

CVE-2024-27112CRITICAL9.3PL ✓ten sam produkt

SQL Injection w SO Planning — dostęp do bazy bez uwierzytelnienia

CVE-2024-27115CRITICAL10.0PL ✓ten sam produkt

Nieuwierzytelniony RCE w SO Planning — nieograniczony upload plików

CVE-2020-13963CRITICAL9.8ten sam produkt

SOPlanning before 1.47 has Incorrect Access Control because certain secret key information, and the related au...