CVE-2024-27115 CRITICAL

CVE-2024-27115: Remote Code Execution through File Upload in SOPlanning before 1.52.02

Vendor Simple Online Planning
Product SO Planning
Weakness CWE-434 · Unrestricted file upload
Published September 11, 2024
Last update March 11, 2025

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:N/AU:Y/R:I/V:C/RE:M/U:Red

What the vulnerability does

01Description

A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. With this vulnerability, an attacker can upload executable files that are moved to a publicly accessible folder before verifying any requirements. This leads to the possibility of execution of code on the underlying system when the file is triggered. The vulnerability has been remediated in version 1.52.02.

Key dates

02Disclosure timeline

September 11, 2024 CVE published
March 11, 2025 Record updated