Description
SOPlanning 1.52.00 is vulnerable to Cross Site Scripting (XSS) via the groupe_id parameter to process/groupe_save.php.
Published: 2026-05-08
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the groupe_save.php endpoint of SOPlanning 1.52.00. An attacker can supply a crafted groupe_id value that is reflected unescaped into the resulting page, enabling arbitrary JavaScript execution in the visitor’s browser. This permits the attacker to run scripts in the context of any authenticated user that visits the injected page. The primary impact is the potential loss of confidentiality, integrity, and session compromise. The likely attack vector is a victim visiting a URL or submitting a form containing the malicious groupe_id – this inference is based on typical XSS exploitation patterns.

Affected Systems

SOPlanning version 1.52.00. No vendor was specified by the CNA; the product is publicly hosted and the exploit reference points to a GitHub repository. Any installation exposing process/groupe_save.php is vulnerable if running this version.

Risk and Exploitability

The CVSS score is 5.4, and the EPSS score is < 1%, indicating a moderate severity and a low but nonzero exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require social engineering to convince a user to submit the attack payload. Once executed, the script runs with the privileges of the victim, potentially enabling data exfiltration, session hijack, or further in‑application actions.

Generated by OpenCVE AI on May 9, 2026 at 14:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy a vendor patch or upgrade to a version of SOPlanning that corrects the groupe_id input handling.
  • Validate the groupe_id parameter so that it accepts only numeric identifiers and reject or transform any non‑numeric input.
  • Ensure that any output containing groupe_id is properly escaped or encoded before rendering to prevent script injection.
  • Implement a strict Content Security Policy that blocks inline scripts and restricts script sources to trusted domains.

Generated by OpenCVE AI on May 9, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Soplanning
Soplanning soplanning
Vendors & Products Soplanning
Soplanning soplanning

Sat, 09 May 2026 15:00:00 +0000

Type Values Removed Values Added
Title Cross Site Scripting via groupe_id in SOPlanning 1.52

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title Cross Site Scripting via groupe_id in SOPlanning 1.52.00

Fri, 08 May 2026 22:15:00 +0000

Type Values Removed Values Added
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 15:00:00 +0000

Type Values Removed Values Added
Title Cross Site Scripting via groupe_id in SOPlanning 1.52.00
Weaknesses CWE-79

Fri, 08 May 2026 05:45:00 +0000

Type Values Removed Values Added
Description SOPlanning 1.52.00 is vulnerable to Cross Site Scripting (XSS) via the groupe_id parameter to process/groupe_save.php.
References

Subscriptions

Soplanning Soplanning
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-08T21:29:15.895Z

Reserved: 2024-04-26T00:00:00.000Z

Link: CVE-2024-33724

cve-icon Vulnrichment

Updated: 2026-05-08T17:01:43.032Z

cve-icon NVD

Status : Deferred

Published: 2026-05-08T06:16:09.547

Modified: 2026-05-08T22:16:28.227

Link: CVE-2024-33724

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:24:05Z

Weaknesses