Report an incident
Back
  • About us
  • For experts
Report an incident
About us
About our team Contact
Baza wiedzy
Fałszywe inwestycje Uważaj na fałszywe sklepy online (Nie)bezpieczne płatności Fałszywi konsultanci Zadbaj o bezpieczne hasła i logowanie Fałszywe załączniki w mailach Fałszywe prośby o szybki przelew Fałszywe SMSy - plaga ostatnich miesięcy Bezpieczny telefon
Biuletyn OUCH!
Porady bezpieczeństwa OUCH!
Projects
n6 Artemis MWDB
CVD program
CVD policy Advisories

Vulnerabilities in SOPlanning software
20 November 2025 | CERT Polska | #vulnerability, #warning, #cve
CVE ID CVE-2025-62293
Publication date 20 November 2025
Vendor SOPlanning
Product SOPlanning
Vulnerable versions All before 1.55
Vulnerability type (CWE) Missing Authorization (CWE-862)
Report source Report to CERT Polska
CVE ID CVE-2025-62294
Publication date 20 November 2025
Vendor SOPlanning
Product SOPlanning
Vulnerable versions All before 1.55
Vulnerability type (CWE) Generation of Predictable Numbers or Identifiers (CWE-340)
Report source Report to CERT Polska
CVE ID CVE-2025-62295
Publication date 20 November 2025
Vendor SOPlanning
Product SOPlanning
Vulnerable versions All before 1.55
Vulnerability type (CWE) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79)
Report source Report to CERT Polska
CVE ID CVE-2025-62296
Publication date 20 November 2025
Vendor SOPlanning
Product SOPlanning
Vulnerable versions All before 1.55
Vulnerability type (CWE) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79)
Report source Report to CERT Polska
CVE ID CVE-2025-62297
Publication date 20 November 2025
Vendor SOPlanning
Product SOPlanning
Vulnerable versions All before 1.55
Vulnerability type (CWE) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79)
Report source Report to CERT Polska
CVE ID CVE-2025-62729
Publication date 20 November 2025
Vendor SOPlanning
Product SOPlanning
Vulnerable versions All before 1.55
Vulnerability type (CWE) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79)
Report source Report to CERT Polska
CVE ID CVE-2025-62730
Publication date 20 November 2025
Vendor SOPlanning
Product SOPlanning
Vulnerable versions All before 1.55
Vulnerability type (CWE) Incorrect Authorization (CWE-863)
Report source Report to CERT Polska
CVE ID CVE-2025-62731
Publication date 20 November 2025
Vendor SOPlanning
Product SOPlanning
Vulnerable versions All before 1.55
Vulnerability type (CWE) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79)
Report source Report to CERT Polska

Description

CERT Polska has received a report about vulnerabilities in SOPlanning software and participated in coordination of their disclosure.

The vulnerability CVE-2025-62293: SOPlanning is vulnerable to Broken Access Control in /status endpoint. Due to lack of permission checks in Project Status functionality any authenticated attacker is able to add, edit and delete any status.

The vulnerability CVE-2025-62294: SOPlanning is vulnerable to Predictable Generation of Password Recovery Token. Due to weak mechanism of generating recovery tokens, a malicious attacker is able to brute-force all possible values and takeover any account in reasonable amount of time.

The vulnerability CVE-2025-62295: SOPlanning is vulnerable to Stored XSS in /groupe_form endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor.

The vulnerability CVE-2025-62296: SOPlanning is vulnerable to Stored XSS in /taches endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor.

The vulnerability CVE-2025-62297: SOPlanning is vulnerable to Stored XSS in /projets endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening edited page.

The vulnerability CVE-2025-62729: SOPlanning is vulnerable to Stored XSS in /status endpoint. Malicious attacker with an account can inject arbitrary HTML and JS into multiple pages.

The vulnerability CVE-2025-62730: SOPlanning is vulnerable to Privilege Escalation in user management tab. Users with user_manage_team role are allowed to modify permissions of users. However, they are able to assign administrative permissions to any user including themselves. This allow a malicious authenticated attacker with this role to escalate to admin privileges. This issue affects both Bulk Update functionality and regular edition of user's right and privileges.

The vulnerability CVE-2025-62731: SOPlanning is vulnerable to Stored XSS in /feries endpoint. Malicious attacker with access to public holidays feature is able to inject arbitrary HTML and JS into multiple pages. By default only administrators and users with special privileges are able to access this endpoint.

These issues were fixed in version 1.55.

Credits

We thank Łukasz Jaworski from Pentest Limited for the responsible vulnerability report.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.