CVE-2024-27112 CRITICAL

CVE-2024-27112: SQL Injection in SOPlanning before 1.52.02

Vendor Simple Online Planning
Product SO Planning
Weakness CWE-89 · SQLi
Published September 11, 2024
Last update March 11, 2025

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/S:N/AU:Y/R:U/V:C/RE:M/U:Red

What the vulnerability does

01Description

A unauthenticated SQL Injection has been found in the SO Planning tool that occurs when the public view setting is enabled. An attacker could use this vulnerability to gain access to the underlying database. The vulnerability has been remediated in version 1.52.02.

Key dates

02Disclosure timeline

September 11, 2024 CVE published
March 11, 2025 Record updated