DIVD-2024-00024 - Multiple vulnerabilities found in the SOPlanning tool
| Our reference | DIVD-2024-00024 |
| Case lead | Max van der Horst |
| Author | Victor Pasman |
| Researcher(s) | |
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Update to the latest version of SOPlanning Online Planning tool. |
| Patch status | None |
| Workaround | None |
| Status | Closed |
| Last modified | 17 Oct 2024 10:22 CEST |
Summary
The SOPlanning Online Planning tool up to version 1.52.02 contains several vulnerabilities which can be summarized to:
- An unauthenticated SQL injection, an attacker can misuse this vulnerability to retrieve information from the database.
- Two unauthenticated Remote Code Execution (RCE) vulnerabilities, these make it possible for an attacker to upload and execute an executables on the system.
- Insecure Direct Object Reference, which makes in possible for an attacker to export Database
All of these vulnerabilities would allow an attacker to take control of the underlying system.
Recommendations
Update to the latest version of SOPlanning tool. If this is not possible, upgrade to version 1.52.02.
What we are doing
DIVD is currently working to identify parties that are running a version of the SO Planning tool that contain these vulnerabilities and notify these parties. We do this by finding vulnerable SOPlanning Tool systems that are connected to the Internet and verifying the version installed.
Timeline
| Date | Description |
|---|---|
| 27 May 2024 | Vulnerabilities are found by Wietse and Hidde. |
| 19 Jun 2024 | Vulnerabilities reported to vendor. |
|
19 Jun 2024- 19 Jun 2024 |
Time to Acknowledge. |
| 19 Jun 2024 | Vendor acknowledges receipt of vulnerabilities. |
|
19 Jun 2024- 04 Jul 2024 |
Time to fix. |
| 08 Aug 2024 | Limited disclosure of the vulnerabilities and publishing of CVEs. |
| 16 Oct 2024 | Initial casefile created and published. |
gantt
title DIVD-2024-00024 - Multiple vulnerabilities found in the SOPlanning tool
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2024-00024 - Multiple vulnerabilities found in the SOPlanning tool (140 days) :2024-05-29, 2024-10-16
section Events
Vulnerabilities are found by Wietse and Hidde. : milestone, 2024-05-27, 0d
Vulnerabilities reported to vendor. : milestone, 2024-06-19, 0d
Time to Acknowledge. (0 days) : 2024-06-19, 2024-06-19
Vendor acknowledges receipt of vulnerabilities. : milestone, 2024-06-19, 0d
Time to fix. (15 days) : 2024-06-19, 2024-07-04
Limited disclosure of the vulnerabilities and publishing of CVEs. : milestone, 2024-08-08, 0d
Initial casefile created and published. : milestone, 2024-10-16, 0d
More information
- CVE-2024-27112
- CVE-2024-27113
- CVE-2024-27114
- CVE-2024-27115
- National Vulnerability Database for CVE-2024-27112
- National Vulnerability Database for CVE-2024-27113
- National Vulnerability Database for CVE-2024-27114
- National Vulnerability Database for CVE-2024-27115