Plane is open-source project management software. Versions prior to 0.23 have insecure permissions in UserSerializer that allows users to change fields that are meant to be read-only, such as email. This can lead to account takeover when chained with another vulnerability such as cross-site scripting (XSS). Version 0.23 fixes the issue.
CVSS Score
3.5
EPSS Score
0.0
Published
2025-05-21
Plane is an open-source project management tool. A cross-site scripting (XSS) vulnerability has been identified in Plane versions prior to 0.23. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image.
CVSS Score
5.4
EPSS Score
0.001
Published
2025-01-06
Plane is an open-source project management tool. Plane uses the ** wildcard support to retrieve the image from any hostname as in /web/next.config.js. This may permit an attacker to induce the server side into performing requests to unintended locations. This vulnerability is fixed in 0.23.0.
CVSS Score
9.3
EPSS Score
0.001
Published
2024-10-11
Plane version 0.7.1 allows an unauthenticated attacker to view all stored server files of all users.
CVSS Score
7.1
EPSS Score
0.002
Published
2023-07-15
Plane version 0.7.1-dev allows an attacker to change the avatar of his profile, which allows uploading files with HTML extension that interprets both HTML and JavaScript.
CVSS Score
7.1
EPSS Score
0.001
Published
2023-07-15