Filtered by vendor Plane
Subscribe
Total
5 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-21616 | 1 Plane | 1 Plane | 2025-06-20 | N/A | 5.4 MEDIUM |
| Plane is an open-source project management tool. A cross-site scripting (XSS) vulnerability has been identified in Plane versions prior to 0.23. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image. | |||||
| CVE-2025-48070 | 1 Plane | 1 Plane | 2025-06-20 | N/A | 3.5 LOW |
| Plane is open-source project management software. Versions prior to 0.23 have insecure permissions in UserSerializer that allows users to change fields that are meant to be read-only, such as email. This can lead to account takeover when chained with another vulnerability such as cross-site scripting (XSS). Version 0.23 fixes the issue. | |||||
| CVE-2023-30791 | 1 Plane | 1 Plane | 2024-11-21 | N/A | 7.1 HIGH |
| Plane version 0.7.1-dev allows an attacker to change the avatar of his profile, which allows uploading files with HTML extension that interprets both HTML and JavaScript. | |||||
| CVE-2023-2268 | 1 Plane | 1 Plane | 2024-11-21 | N/A | 7.1 HIGH |
| Plane version 0.7.1 allows an unauthenticated attacker to view all stored server files of all users. | |||||
| CVE-2024-47830 | 1 Plane | 1 Plane | 2024-11-12 | N/A | 5.8 MEDIUM |
| Plane is an open-source project management tool. Plane uses the ** wildcard support to retrieve the image from any hostname as in /web/next.config.js. This may permit an attacker to induce the server side into performing requests to unintended locations. This vulnerability is fixed in 0.23.0. | |||||