CVE-2014-8677
Severity CVSS v4.0:
Pending analysis
Type:
CWE-94
Code Injection
Publication date:
31/08/2017
Last modified:
20/04/2025
Description
The installation process for SOPlanning 1.32 and earlier allows remote authenticated users with a prepared database, and access to an existing database with a crafted name, or permissions to create arbitrary databases, or if PHP before 5.2 is being used, the configuration database is down, and smarty/templates_c is not writable to execute arbitrary php code via a crafted database name.
Impact
Base Score 3.x
5.30
Severity 3.x
MEDIUM
Base Score 2.0
3.50
Severity 2.0
LOW
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:soplanning:soplanning:*:*:*:*:*:*:*:* | 1.32 (including) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://packetstormsecurity.com/files/132654/Simple-Online-Planning-Tool-1.3.2-XSS-SQL-Injection-Traversal.html
- http://seclists.org/fulldisclosure/2015/Jul/44
- http://www.securityfocus.com/bid/75726
- https://www.exploit-db.com/exploits/37604/
- http://packetstormsecurity.com/files/132654/Simple-Online-Planning-Tool-1.3.2-XSS-SQL-Injection-Traversal.html
- http://seclists.org/fulldisclosure/2015/Jul/44
- http://www.securityfocus.com/bid/75726
- https://www.exploit-db.com/exploits/37604/