CVE-2025-21616 MEDIUM

CVE-2025-21616: Plane has a Cross-site scripting (XSS) via SVG image upload

Vendor Makeplane
Product plane
Weakness CWE-79 · XSS
Published January 6, 2025
Last update January 7, 2025

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Plane is an open-source project management tool. A cross-site scripting (XSS) vulnerability has been identified in Plane versions prior to 0.23. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image.

Key dates

02Disclosure timeline

January 6, 2025 CVE published
January 7, 2025 Record updated