CVE-2024-9574

Name of the Vulnerable Software and Affected Versions SOPlanning versions prior to 1.45

Description A SQL injection issue exists in SOPlanning, which could allow a remote user to submit a specially crafted query via the "by" parameter in the /soplanning/www/user groupes.php API endpoint, allowing an attacker to retrieve all the information stored in the database.

Recommendations For SOPlanning versions prior to 1.45, upgrade to a version 1.45 or later to resolve the issue. As a temporary workaround, consider restricting access to the /soplanning/www/user groupes.php API endpoint and the by parameter to minimize the risk of exploitation.