Overview
CVE-2025-62297 describes a Stored Cross-Site Scripting (XSS) vulnerability found in SOPlanning, a web-based project planning tool. This vulnerability affects the /projets endpoint. An attacker with medium privileges can inject malicious HTML and JavaScript code into the website. This code will be stored and executed whenever a user opens or edits the affected project page. This could lead to various malicious activities, including session hijacking, defacement, or redirection to phishing sites.
Technical Details
The Stored XSS vulnerability exists due to insufficient input sanitization and output encoding within the /projets endpoint of SOPlanning. Specifically, when creating or modifying a project, the application does not properly validate or escape user-supplied data before storing it in the database. As a result, an attacker can insert malicious HTML or JavaScript code into fields such as the project name, description, or other related input fields. When another user views or edits the project, the stored malicious code is executed in their browser, within the context of the SOPlanning web application.
CVSS Analysis
The CVSS score for CVE-2025-62297 is currently listed as N/A. However, given the nature of the vulnerability (Stored XSS), the potential impact, and the required privileges (Medium), a CVSS score in the medium to high range would be appropriate. A full assessment would need to be done to determine the final CVSS score.
Possible Impact
The successful exploitation of this Stored XSS vulnerability can have significant consequences:
- Account Compromise: An attacker could steal user session cookies, allowing them to impersonate legitimate users and gain unauthorized access to the application.
- Data Theft: Malicious scripts can be used to extract sensitive data from the SOPlanning application, such as project details, user information, or financial data.
- Website Defacement: The attacker could modify the appearance of the affected page, displaying misleading or malicious content.
- Malware Distribution: The injected script could redirect users to malicious websites or trigger the download of malware.
Mitigation or Patch Steps
The vulnerability has been fixed in SOPlanning version 1.55. It is strongly recommended to upgrade to this version or a later version as soon as possible.
- Upgrade SOPlanning: Download and install the latest version (1.55 or later) from the official SOPlanning website.
- Input Validation: Validate all user inputs on the server-side to ensure that they conform to expected formats and do not contain malicious code.
- Output Encoding: Encode all data before displaying it in the browser to prevent the execution of malicious scripts.
- Web Application Firewall (WAF): Implement a WAF to detect and block XSS attacks.
