Compliance Impact

This vulnerability allows an unauthenticated attacker to access backup archives containing user databases with usernames and password hashes, as well as sensitive configuration files. Such unauthorized access to personal and sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

Failure to enforce authorization on backup functionalities compromises confidentiality and integrity of user data, potentially resulting in non-compliance with these standards that mandate protection against unauthorized data access.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in SOPlanning version 1.55 and below, where the software does not enforce authorization for its backup functionalities.

As a result, an unauthenticated attacker can directly access backup-related endpoints without any restrictions.

This allows the attacker to retrieve backup archives that contain sensitive data such as user databases with usernames and password hashes, as well as the config.csv file which holds additional sensitive information.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can have severe impacts because it allows unauthorized access to sensitive data.

• Exposure of user databases including usernames and password hashes, which could lead to credential compromise.
• Access to configuration files containing sensitive information that could be used to further exploit the system.

Overall, this could lead to unauthorized data disclosure, potential account takeovers, and further system compromise.

Useful 0 Not Useful 0