CVE-2024-33724 Overview
CVE-2024-33724 is a reflected Cross-Site Scripting (XSS) vulnerability affecting SOPlanning version 1.52.00, an open-source online project planning application. The flaw resides in the process/groupe_save.php endpoint, where the groupe_id parameter is rendered without proper output encoding or input sanitization. Attackers can craft a malicious URL containing JavaScript payloads that execute in the victim's browser when followed. The vulnerability is categorized under [CWE-79] (Improper Neutralization of Input During Web Page Generation).
Critical Impact
Successful exploitation enables session hijacking, credential theft, and unauthorized actions performed in the context of an authenticated SOPlanning user.
Affected Products
- SOPlanning 1.52.00
- process/groupe_save.php endpoint
- groupe_id request parameter
Discovery Timeline
- 2026-05-08 - CVE-2024-33724 published to NVD
- 2026-05-08 - Last updated in NVD database
Technical Details for CVE-2024-33724
Vulnerability Analysis
The vulnerability exists in SOPlanning 1.52.00's group management workflow. The process/groupe_save.php script accepts the groupe_id parameter from HTTP requests and reflects its value back into server-generated HTML responses. The application fails to apply contextual output encoding or input validation, allowing attacker-supplied script content to be interpreted as executable JavaScript by the browser.
Because the attack vector is network-based and requires user interaction, exploitation typically involves enticing a target user to click a crafted link. Once executed, the injected script runs under the SOPlanning origin and can access cookies, session tokens, and DOM content available to the authenticated user. The EPSS score for this CVE is 0.179% with a percentile of 39.065, indicating limited observed exploitation activity to date.
Root Cause
The root cause is missing input sanitization and output encoding for the groupe_id HTTP parameter in process/groupe_save.php. User-controlled data flows directly into HTML response context without HTML entity encoding, violating standard XSS prevention practices.
Attack Vector
An attacker delivers a malicious link containing a JavaScript payload encoded within the groupe_id parameter. When an authenticated SOPlanning user clicks the link, the server reflects the payload into the HTML response, and the browser executes it. Public proof-of-concept details are documented in the GitHub XSS Exploit Documentation.
No verified code example is available; the exploitation mechanism is described in prose. The malicious request targets process/groupe_save.php with the groupe_id parameter set to an HTML or JavaScript fragment that the application reflects into the response page.
Detection Methods for CVE-2024-33724
Indicators of Compromise
- HTTP requests to process/groupe_save.php containing <script>, javascript:, or HTML event handlers in the groupe_id parameter.
- URL-encoded payloads such as %3Cscript%3E or onerror= patterns within query strings targeting SOPlanning endpoints.
- Referrer logs showing externally originated links pointing to SOPlanning group-save URLs with unusual parameter content.
Detection Strategies
- Inspect web server access logs for groupe_id parameter values containing angle brackets, quotes, or JavaScript keywords.
- Deploy Web Application Firewall (WAF) signatures that flag reflected XSS patterns against SOPlanning request paths.
- Correlate browser console errors and Content Security Policy (CSP) violation reports from authenticated user sessions.
Monitoring Recommendations
- Monitor authentication and session activity for anomalous post-click behavior such as unexpected privilege changes or data modifications.
- Forward SOPlanning web server logs to a centralized log analytics platform for retroactive XSS query inspection.
- Alert on outbound HTTP requests from user browsers to attacker-controlled domains following SOPlanning navigation events.
How to Mitigate CVE-2024-33724
Immediate Actions Required
- Upgrade SOPlanning to a version later than 1.52.00 once the vendor publishes a fix addressing the groupe_id reflection issue.
- Restrict access to the SOPlanning application using network controls or VPN until a patched release is deployed.
- Educate users to avoid clicking unsolicited links referencing SOPlanning URLs, particularly those containing the groupe_id parameter.
Patch Information
No vendor patch is referenced in the available CVE data. Administrators should monitor the SOPlanning project releases and the public exploit repository for updated remediation guidance.
Workarounds
- Deploy a WAF rule that blocks or sanitizes requests to process/groupe_save.php containing HTML special characters in groupe_id.
- Implement a strict Content Security Policy (CSP) header that disallows inline script execution to reduce XSS impact.
- Add server-side input validation enforcing numeric-only values for groupe_id before the parameter reaches application logic.
# Example ModSecurity rule to block reflected XSS on groupe_save.php
SecRule REQUEST_URI "@contains process/groupe_save.php" \
"chain,deny,status:403,id:1003372,msg:'Potential XSS in SOPlanning groupe_id'"
SecRule ARGS:groupe_id "@rx (?i)(<script|javascript:|onerror=|onload=)" "t:urlDecodeUni,t:lowercase"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
