CVE-2024-9572

Name of the Vulnerable Software and Affected Versions SOPlanning versions prior to 1.45

Description The issue is a Cross-Site Scripting (XSS) vulnerability due to the lack of proper validation of user input. This could allow a remote user to send a specially crafted query to an authenticated user and steal their session details. The vulnerability exists in the /soplanning/www/process/groupe save.php component, specifically in the groupe id parameter.

Recommendations For versions prior to 1.45, consider disabling access to the /soplanning/www/process/groupe save.php endpoint until a patch is available. As a temporary workaround, restrict the use of the groupe id parameter in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.