Stored XSS in SOPlanning_CVE-2025-62731

5.1 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Description

SOPlanning is vulnerable to Stored XSS in /feries endpoint. Malicious attacker with access to public holidays feature is able to inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. By default only administrators and users with special privileges are able to access this endpoint.

This issue was fixed in version 1.55.

Basic Information

ID CVE-2025-62731

Source CERT-PL

Published Nov 20, 2025 at 15:44

Modified Nov 20, 2025 at 15:52

Affected Product

Vendor SOPlanning

Product SOPlanning

Affected Versions SOPlanning SOPlanning 0

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "SOPlanning is vulnerable to Stored XSS in /feries\u00a0endpoint. Malicious attacker with access to public holidays feature is able to inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. By default only administrators and users with special privileges are able to access this endpoint.\n\nThis issue was fixed in version 1.55.",
    "published": "2025-11-20T15:44:17.319Z",
    "modified": "2025-11-20T15:52:05.230Z",
    "type": "cve",
    "title": "Stored XSS in SOPlanning",
    "source": "CERT-PL",
    "references": "https://cert.pl/en/posts/2025/11/CVE-2025-62293\nhttps://www.soplanning.org/en/",
    "id": "CVE-2025-62731",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "SOPlanning SOPlanning 0",
    "sourceHref": "",
    "cvss": {
        "score": 5.1,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "SOPlanning",
    "version": "0",
    "vendor": "SOPlanning",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}