Full Report
CERT Polska has received a report about 8 vulnerabilities (from CVE-2025-62293 to 62297 and from 2025-62729 to CVE-2025-62731) found in SOPlanning software.
Analysis Summary
This summary details 8 vulnerabilities reported against SOPlanning software by CERT Polska.
---
# Vulnerability: Multiple Flaws in SOPlanning (CVE-2025-62293 to CVE-2025-62297, CVE-2025-62729 to CVE-2025-62731)
## CVE Details
This summary groups details for all 8 reported CVEs. Specific severity scores (CVSS) or CWE details are provided below per identifier.
| CVE ID | CWE | Notes |
| :--- | :--- | :--- |
| CVE-2025-62293 | CWE-862 (Missing Authorization) | Broken Access Control in `/status` endpoint. |
| CVE-2025-62294 | CWE-340 (Generation of Predictable Numbers or Identifiers) | Predictable identifier leading to account takeover via brute-force. |
| CVE-2025-62295 | CWE-79 (XSS) | Stored XSS in `/groupe_form`. |
| CVE-2025-62296 | CWE-79 (XSS) | Stored XSS in `/taches`. |
| CVE-2025-62297 | CWE-79 (XSS) | Stored XSS in `/projets`. |
| CVE-2025-62729 | CWE-79 (XSS) | Stored XSS in `/status`. |
| CVE-2025-62730 | CWE-863 (Incorrect Authorization) | Privilege Escalation in user management. |
| CVE-2025-62731 | CWE-79 (XSS) | Stored XSS in `/feries`. |
*Note: Specific CVSS scores were not explicitly listed in the provided text; severity estimation relies on the description of impact.*
## Affected Systems
- Products: SOPlanning
- Versions: All versions before 1.55
- Configurations: Dependent on the specific vulnerability (e.g., requires authenticated attacker, medium privileges, or specific role/feature access).
## Vulnerability Description
The vulnerabilities cover several security categories:
1. **Broken Access Control / Incorrect Authorization (CVE-2025-62293, CVE-2025-62730):**
* CVE-2025-62293: Lack of permission checks on the `/status` endpoint allows any authenticated user to modify Project Status.
* CVE-2025-62730: Users with the `user_manage_team` role can improperly assign administrative permissions to any user (including themselves) via user management tabs (Bulk Update or regular editing), leading to privilege escalation to Administrator.
2. **Predictable Identifiers (CVE-2025-62294):** Flaw allowing an attacker to brute-force all possible account identifiers quickly, enabling account takeover.
3. **Stored Cross-Site Scripting (CWE-79) (CVE-2025-62295, -62296, -62297, -62729, -62731):** Attackers with varying levels of privilege (medium access up to authenticated account) can inject arbitrary HTML and JavaScript across multiple endpoints (`/groupe_form`, `/taches`, `/projets`, `/status`, `/feries`). This content is stored and executed when rendered/edited by victim users.
## Exploitation
- Status: Not explicitly stated if exploited in the wild, but PoCs/successful exploitation scenarios are implied by the technical details provided for Privilege Escalation and XSS.
- Complexity: Ranges from **Low** (general authenticated access or brute-force) to **Medium** (requires specific roles or privileges for certain injection points).
- Attack Vector: Primarily **Adjacent** (authenticated users exploiting internal logic) or potentially **Network** (via input fields accessible over the network).
## Impact
Impact levels are inferred based on the vulnerability type:
- Confidentiality: **High** (Due to XSS and potential lateral movement after account takeover/privilege escalation).
- Integrity: **High** (Due to stored XSS execution and unauthorized permission changes/status updates).
- Availability: **Medium** (Indirect impact possible via successful exploitation or service disruption).
## Remediation
### Patches
- **Version 1.55:** All reported issues were fixed in version 1.55 of SOPlanning.
### Workarounds
- No explicit workarounds were provided in the summary. Limiting administrative and user management permissions precisely might temporarily reduce risk for CVE-2025-62730, but immediate patching is recommended.
## Detection
- Detection methods were not specified. Indicators of Compromise would include:
- Unexpected privilege changes in user accounts.
- Observation of malicious scripts executing in application views (detected via browser or application logs observing unusual DOM changes).
- Large volumes of failed login attempts targeting predictable user IDs (CVE-2025-62294).
## References
- Vendor advisories: Not explicitly listed, but patch availability implies a vendor advisory exists.
- Relevant links - defanged:
- hxxps://incydent.cert.pl/#!/lang=en
- hxxps://cert.pl/en/cvd/