CVE-2025-48070

Low CVSS: 3.5

Plane is open-source project management software. Versions prior to 0.23 have insecure permissions in UserSerializer that allows users to change fields that are meant to be read-only, such as email. This can lead to account takeover when chained with another vulnerability such as cross-site scripting (XSS). Version 0.23 fixes the issue.

Vendor

Plane

Product

Plane

CWE

CWE-276

Yayın Tarihi

2025-05-21 22:15:51

Güncelleme

2025-06-20 16:05:45

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-276 Plane LOW Plane 2025

Referanslar

https://github.com/makeplane/plane/commit/0a8cc24da505fd519fcc3c9d6b5e15bc7ce21b29 https://github.com/makeplane/plane/security/advisories/GHSA-cjh4-q763-cc48 https://github.com/makeplane/plane/security/advisories/GHSA-cjh4-q763-cc48

Benzer Kayıtlar

High

CVE-2026-30242

Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/seri…

High

CVE-2026-30244

Plane is an an open-source project management tool. Prior to version 1.2.2, unauthenticated attackers can enumerate work…

Medium

CVE-2026-27705

Plane is an an open-source project management tool. Prior to version 1.2.2, the `ProjectAssetEndpoint.patch()` method in…

High

CVE-2026-27706

Plane is an an open-source project management tool. Prior to version 1.2.2, a Full Read Server-Side Request Forgery (SSR…

Medium

CVE-2025-69284

Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https[…

Medium

CVE-2025-21616

Plane is an open-source project management tool. A cross-site scripting (XSS) vulnerability has been identified in Plane…