CVE-2024-57170

Name of the Vulnerable Software and Affected Versions SOPlanning version 1.53.00

Description The issue concerns a directory traversal problem in the "/process/upload.php" API endpoint. The fichier to delete parameter allows authenticated attackers to specify file paths containing directory traversal sequences, such as "../", enabling them to delete arbitrary files outside the intended upload directory. This could potentially lead to denial of service or disruption of application functionality.

Recommendations For SOPlanning version 1.53.00, as a temporary workaround, consider restricting access to the "/process/upload.php" API endpoint or disabling the fichier to delete parameter to minimize the risk of exploitation. Additionally, restrict the ability to specify file paths containing directory traversal sequences to prevent attackers from deleting arbitrary files. At the moment, there is no information about a newer version that contains a fix for this vulnerability.