PT-2020-20563 · Soplanning · Soplanning

Falconspy

Published

2020-02-18

Updated

2020-02-20

CVE-2020-9269

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions SOPlanning version 1.45

Description The issue allows for authenticated SQL Injection, which can lead to command execution. This is achievable via the users parameter, as demonstrated in the export ical.php file.

Recommendations For SOPlanning version 1.45, consider restricting access to the export ical.php file and avoid using the users parameter until a patch is available. As a temporary workaround, restrict the use of the users parameter in the affected API endpoint to minimize the risk of exploitation.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2020-9269

Affected Products

Soplanning

PT-2020-20563 · Soplanning · Soplanning

CVE-2020-9269

Weakness Enumeration

Related Identifiers

Affected Products

References · 3