CVE-2023-30791 HIGH

CVE-2023-30791: Plane 0.7.1 - Insecure file upload

Vendor Plane
Product Plane
Weakness CWE-434 · Unrestricted file upload
Published July 15, 2023
Last update October 30, 2024

CVSS base score

7.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Plane version 0.7.1-dev allows an attacker to change the avatar of his profile, which allows uploading files with HTML extension that interprets both HTML and JavaScript.

Key dates

02Disclosure timeline

July 15, 2023 CVE published
October 30, 2024 Record updated