CVE-2024-33722 Overview
CVE-2024-33722 is a SQL Injection vulnerability [CWE-89] affecting SOPlanning version 1.52.00, an open-source online project planning tool. The flaw resides in the projets.php endpoint, where the statut[] parameter is not properly sanitized before being used in a database query. An authenticated attacker can inject crafted SQL payloads to manipulate backend queries.
Successful exploitation allows attackers to read, modify, or potentially delete records in the SOPlanning database. The vulnerability requires valid authenticated access, which limits exposure to users with existing application credentials.
Critical Impact
Authenticated SQL injection in projets.php via the statut[] parameter enables unauthorized access to project planning data and potential database manipulation.
Affected Products
- SOPlanning 1.52.00
- SOPlanning instances exposing the projets.php endpoint to authenticated users
- Web deployments running the affected SOPlanning release without input sanitization patches
Discovery Timeline
- 2026-05-08 - CVE-2024-33722 published to NVD
- 2026-05-08 - Last updated in NVD database
Technical Details for CVE-2024-33722
Vulnerability Analysis
The vulnerability exists in SOPlanning 1.52.00 within the projets.php script, which handles project listing and filtering. The application accepts a statut[] array parameter representing project status filters. SOPlanning incorporates this user-supplied input into a SQL query without proper parameterization or sanitization.
Because statut[] is processed as an array, attackers can inject SQL fragments into individual array elements. The injected SQL executes within the context of the SOPlanning database user, exposing project data, user records, and other application tables.
The issue is classified under [CWE-89] Improper Neutralization of Special Elements used in an SQL Command. Exploitation requires only low-privileged authenticated access, lowering the barrier for malicious insiders or attackers who obtain user credentials through phishing or credential stuffing.
Root Cause
The root cause is unsafe construction of SQL statements using concatenated user input. SOPlanning fails to apply prepared statements or parameter binding when processing the statut[] filter. Array elements are inserted directly into the query string, breaking out of the intended IN() or WHERE clause context.
Attack Vector
The attack vector is network-based through the web interface. An attacker authenticates to SOPlanning, then submits a crafted POST or GET request to projets.php containing a malicious statut[] payload. The server executes the injected SQL against the underlying database, returning data or modifying records based on the payload structure. Public exploitation details are available in the GitHub Exploit Repository.
Detection Methods for CVE-2024-33722
Indicators of Compromise
- HTTP requests to projets.php containing SQL metacharacters such as ', --, UNION, or SLEEP( within the statut[] parameter
- Database error messages logged from SOPlanning referencing syntax errors near user-supplied values
- Unexpected long-running queries originating from the SOPlanning application database account
Detection Strategies
- Inspect web server access logs for requests to projets.php with abnormal statut[] values containing SQL keywords or encoded payloads
- Deploy a Web Application Firewall (WAF) rule set tuned to detect SQL injection patterns against PHP applications
- Correlate authentication events with subsequent anomalous database query volume from the same session
Monitoring Recommendations
- Enable PHP and MySQL query logging on SOPlanning hosts to capture parameter values submitted to projets.php
- Alert on repeated 500-series HTTP responses from projets.php that may indicate injection probing
- Monitor authenticated user sessions for atypical access patterns to project filter endpoints
How to Mitigate CVE-2024-33722
Immediate Actions Required
- Restrict access to the SOPlanning application to trusted networks until a patched version is deployed
- Audit existing SOPlanning user accounts and disable inactive or unnecessary credentials to reduce the authenticated attack surface
- Review database and web server logs for prior exploitation attempts targeting projets.php
Patch Information
No official vendor patch URL is listed in the available CVE references. Administrators should monitor the SOPlanning project repository for releases newer than 1.52.00 that address the statut[] SQL injection. Until a fixed release is available, apply compensating controls through input filtering or WAF rules. Exploit proof-of-concept code is published in the GitHub Exploit Repository and should be referenced when validating mitigations.
Workarounds
- Configure a WAF or reverse proxy to block requests where statut[] parameters contain SQL metacharacters such as quotes, semicolons, or comment markers
- Enforce strict allowlisting of expected statut[] values at the application or proxy layer
- Limit the database privileges of the SOPlanning application account to minimize the impact of successful injection
# Example WAF rule (ModSecurity) blocking SQLi patterns in statut[] parameter
SecRule ARGS_NAMES "@rx ^statut\[\]$" \
"chain,phase:2,deny,status:403,id:1003372,\
msg:'Potential SQLi in SOPlanning projets.php statut[] parameter'"
SecRule ARGS "@rx (?i)(union\s+select|sleep\s*\(|--|';)" "t:none,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
