Huy-Ngoc Dau

**Name of the Vulnerable Software and Affected Versions** SOPPlanning versions prior to 1.33 **Description** Multiple SQL vulnerabilities exist in various PHP files, including planning.php, user list.php, projets.php, user groupes.php, and groupe list.php. **Recommendations** For versions prior to 1.33, update to version 1.33 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SOPlanning versions prior to 1.33 **Description** The issue concerns multiple Cross-Site Scripting (XSS) vulnerabilities. These vulnerabilities allow malicious users to execute arbitrary code via the document.cookie in `nb mois` and `mb ligness` and the debug GET parameter to "export.php". **Recommendations** For versions prior to 1.33, update to version 1.33 or later to resolve the issue. As a temporary workaround, consider restricting access to the "export.php" endpoint and avoiding the use of the debug GET parameter until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Soplanning versions 1.32 and earlier **Description** The issue allows remote attackers to obtain a calendar owner's password via a brute-force attack on the embedded password hash. This is because Soplanning generates static links for sharing ICAL calendars with embedded login information. **Recommendations** For Soplanning versions 1.32 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SOPlanning versions 1.32 and earlier **Description** A directory traversal issue exists in the file get contents function, allowing remote attackers to determine the existence of arbitrary files by using a .. (dot dot) in a URL path parameter. **Recommendations** For SOPlanning versions 1.32 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SOPlanning versions 1.32 and earlier **Description** The issue allows remote authenticated users to execute arbitrary PHP code via a crafted database name, given certain conditions such as access to an existing database, permissions to create arbitrary databases, the use of PHP before version 5.2, a down configuration database, or a non-writable smarty/templates c directory. **Recommendations** For SOPlanning versions 1.32 and earlier, update to a version later than 1.32 to resolve the issue. As a temporary workaround, consider restricting database creation permissions and ensuring smarty/templates c is writable, while also updating PHP to version 5.2 or later.