← back
CVE-2014-8677

CVE-2014-8677

EPSS 3.5%
The installation process for SOPlanning 1.32 and earlier allows remote authenticated users with a prepared database, and access to an existing database with a crafted name, or permissions to create arbitrary databases, or if PHP before 5.2 is being used, the configuration database is down, and smarty/templates_c is not writable to execute arbitrary php code via a crafted database name.
Affected products
n/a · n/a
public PoCs found3
cve_referencepacketstormsecurity.com/files/132654/Simple-Online-Planning-Tool-1.3.2-XSS-SQL-Injection-Traversal.htmlunverifiedcve_referencewww.exploit-db.com/exploits/37604/unverifiedexploitdbwww.exploit-db.com/exploits/37604unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/132654/Simple-Online-Planning-Tool-1.3.2-XSS-SQL-Injection-Traversal.htmlhttp://seclists.org/fulldisclosure/2015/Jul/44https://www.exploit-db.com/exploits/37604/http://www.securityfocus.com/bid/75726