CVE-2024-27114 HIGH

CVE-2024-27114: Remote Code Execution through File Upload in SOPlanning before 1.52.02

Vendor Simple Online Planning
Product SO Planning
Weakness CWE-367
Published September 11, 2024
Last update March 11, 2025

CVSS base score

8.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:N/AU:Y/R:I/V:C/RE:M/U:Red

What the vulnerability does

01Description

A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. If the public view setting is enabled, a attacker can upload a PHP-file that will be available for execution for a few milliseconds before it is removed, leading to execution of code on the underlying system. The vulnerability has been remediated in version 1.52.02.

Key dates

02Disclosure timeline

September 11, 2024 CVE published
March 11, 2025 Record updated