CVE-2025-69284
- EPSS 0.16%
- Veröffentlicht 02.01.2026 15:42:05
- Zuletzt bearbeitet 25.02.2026 14:58:56
Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https[:]//app[.]plane[.]so/[:]slug/settings. Prior to Plane version 1.2.0, a problem occurs when the `/api/workspaces/:slug/members/` is...
CVE-2025-48070
- EPSS 0.23%
- Veröffentlicht 21.05.2025 22:15:51
- Zuletzt bearbeitet 20.06.2025 16:05:45
Plane is open-source project management software. Versions prior to 0.23 have insecure permissions in UserSerializer that allows users to change fields that are meant to be read-only, such as email. This can lead to account takeover when chained with...
CVE-2025-21616
- EPSS 0.26%
- Veröffentlicht 06.01.2025 22:15:11
- Zuletzt bearbeitet 20.06.2025 18:08:44
Plane is an open-source project management tool. A cross-site scripting (XSS) vulnerability has been identified in Plane versions prior to 0.23. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as ...
CVE-2024-47830
- EPSS 0.55%
- Veröffentlicht 11.10.2024 15:15:05
- Zuletzt bearbeitet 12.11.2024 19:55:58
Plane is an open-source project management tool. Plane uses the ** wildcard support to retrieve the image from any hostname as in /web/next.config.js. This may permit an attacker to induce the server side into performing requests to unintended locati...
CVE-2023-2268
- EPSS 0.57%
- Veröffentlicht 15.07.2023 19:15:09
- Zuletzt bearbeitet 21.11.2024 07:58:16
Plane version 0.7.1 allows an unauthenticated attacker to view all stored server files of all users.
CVE-2023-30791
- EPSS 0.46%
- Veröffentlicht 15.07.2023 19:15:09
- Zuletzt bearbeitet 21.11.2024 08:00:54
Plane version 0.7.1-dev allows an attacker to change the avatar of his profile, which allows uploading files with HTML extension that interprets both HTML and JavaScript.