Plane
Monthly
Server-Side Request Forgery (SSRF) in Makeplane Plane (versions 0.28.0 to before 1.3.0) allows authenticated attackers with low privileges to perform full-read SSRF attacks against internal network resources. The vulnerability exists because incomplete remediation of a previous SSRF issue (GHSA-jcc6-f9v6-f7jw) left the favicon fetch path vulnerable to redirect-based attacks. When an attacker supplies an HTML page containing a link tag with an href redirecting to a private IP address via the 'Add link' feature, the fetch_and_encode_favicon() function follows redirects without validation, enabling unauthorized access to internal resources. Requires authenticated access; no public exploit identified at time of analysis.
Unauthenticated attackers can enumerate workspace members and harvest sensitive information including email addresses, user roles, and internal identifiers from Plane prior to version 1.2.2 due to misconfigured Django REST Framework permissions. The vulnerability requires no authentication or user interaction and allows remote attackers to directly access protected endpoints over the network. No patch is currently available for affected Golang and Django deployments.
Plane is an an open-source project management tool. [CVSS 8.5 HIGH]
Plane versions before 1.2.2 contain a server-side request forgery vulnerability in the "Add Link" feature that allows authenticated users to send arbitrary GET requests to internal networks and retrieve full response bodies. An attacker with basic user privileges can exploit this to steal sensitive data from internal services and cloud metadata endpoints. No patch is currently available.
Plane prior to version 1.2.2 allows authenticated users to modify project assets across any workspace by directly referencing asset IDs, as the asset lookup fails to verify workspace and project ownership. An attacker with guest-level credentials can enumerate asset UUIDs and alter asset attributes and upload status without authorization. The vulnerability has been patched in version 1.2.2.
Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https[:]//app[.]plane[.]so/[:]slug/settings. [CVSS 4.3 MEDIUM]
Plane is open-source project management software. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Plane is an open-source project management tool. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Server-Side Request Forgery (SSRF) in Makeplane Plane (versions 0.28.0 to before 1.3.0) allows authenticated attackers with low privileges to perform full-read SSRF attacks against internal network resources. The vulnerability exists because incomplete remediation of a previous SSRF issue (GHSA-jcc6-f9v6-f7jw) left the favicon fetch path vulnerable to redirect-based attacks. When an attacker supplies an HTML page containing a link tag with an href redirecting to a private IP address via the 'Add link' feature, the fetch_and_encode_favicon() function follows redirects without validation, enabling unauthorized access to internal resources. Requires authenticated access; no public exploit identified at time of analysis.
Unauthenticated attackers can enumerate workspace members and harvest sensitive information including email addresses, user roles, and internal identifiers from Plane prior to version 1.2.2 due to misconfigured Django REST Framework permissions. The vulnerability requires no authentication or user interaction and allows remote attackers to directly access protected endpoints over the network. No patch is currently available for affected Golang and Django deployments.
Plane is an an open-source project management tool. [CVSS 8.5 HIGH]
Plane versions before 1.2.2 contain a server-side request forgery vulnerability in the "Add Link" feature that allows authenticated users to send arbitrary GET requests to internal networks and retrieve full response bodies. An attacker with basic user privileges can exploit this to steal sensitive data from internal services and cloud metadata endpoints. No patch is currently available.
Plane prior to version 1.2.2 allows authenticated users to modify project assets across any workspace by directly referencing asset IDs, as the asset lookup fails to verify workspace and project ownership. An attacker with guest-level credentials can enumerate asset UUIDs and alter asset attributes and upload status without authorization. The vulnerability has been patched in version 1.2.2.
Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https[:]//app[.]plane[.]so/[:]slug/settings. [CVSS 4.3 MEDIUM]
Plane is open-source project management software. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Plane is an open-source project management tool. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.