Plane 0.7.1 - Insecure file upload
CVE-2023-30791

7.1HIGH

Key Information:

Vendor: Plane
Status: Plane
Vendor: CVE Published:; 15 July 2023

What is CVE-2023-30791?

An issue has been identified in Plane version 0.7.1-dev that allows attackers to change their profile avatar. This flaw enables the upload of files with an HTML extension, potentially leading to the execution of embedded HTML and JavaScript code. Such a vulnerability poses significant risks, including unauthorized actions on behalf of users and the possibility of leveraging malicious scripts for further attacks.

Affected Version(s)

Plane Linux 0.7.1

References

https://fluidattacks.com/advisories/indio/

https://github.com/makeplane/plane

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 15, 2023
Vulnerability Reserved
Apr 17, 2023

CVE-2023-30791 Data

JSON