CVE-2024-27114

Summary

A unauthenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. If the public view setting is enabled, a attacker can upload a PHP-file that will be available for execution for a few milliseconds before it is removed, leading to execution of code on the underlying system. The vulnerability has been remediated in version 1.52.02.

Affected Software

VendorProductVersion RangeStatus
Simple Online PlanningSO Planningbefore 1.52.01affected

Weaknesses

  • CWE-367: CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

Workarounds

Disable the public view setting.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References