CVE-2024-47830 CRITICAL

CVE-2024-47830: Plane allows server side request forgery via /_next/image endpoint

Vendor Makeplane
Product plane
Weakness CWE-918 · SSRF
Published October 11, 2024
Last update October 15, 2024

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H

What the vulnerability does

01Description

Plane is an open-source project management tool. Plane uses the ** wildcard support to retrieve the image from any hostname as in /web/next.config.js. This may permit an attacker to induce the server side into performing requests to unintended locations. This vulnerability is fixed in 0.23.0.

Key dates

02Disclosure timeline

October 11, 2024 CVE published
October 15, 2024 Record updated