PT-2020-20562 · Soplanning · Soplanning
J3Rrybl4Nks
·
Published
2020-02-18
·
Updated
2020-02-19
·
CVE-2020-9268
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
SoPlanning version 1.45
Description
The issue concerns SQL Injection in the OrderBy clause. This is demonstrated through the
projets.php endpoint with specific parameters, such as order=nom createur and by=substring.Recommendations
For SoPlanning version 1.45, consider restricting access to the
projets.php endpoint until a patch is available, or apply input validation and sanitization to the order and by parameters to prevent SQL Injection attacks.Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Soplanning