SOPlanning v1.46.01 XSS / Session Hijack

    Disclosure Date:  07/06/2020

    CVE-2020-15597

    SOPlanning v1.46.01 and possibly before are affected by a persistent cross site scripting vulnerability that can be leveraged for session hijacking.  An attacker can exploit the XSS vulnerability, retrieve the session cookie from the administrator login, and take over the administrator account.

    Add project:


    Insert malicious XSS:


    When viewing Stats:


    When viewing Audit:


    When adding Statutes:


    Inserting malicious XSS:


    Repeatable in Places:


    Repeatable in Resources:


    With a handler setup, we are able to capture the session cookie:


    We tamper with the cookie:


    We refresh and we're logged in as the admin:


    © 2020 sevenlayers.com