CVE-2025-21616

Published: Jan 6, 2025Modified: Jun 20, 2025

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: security-advisories@github.com (Secondary)

Description

Plane is an open-source project management tool. A cross-site scripting (XSS) vulnerability has been identified in Plane versions prior to 0.23. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image.

Affected (1)

Products: Plane: Plane

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Plane Plane	Before 0.23.0

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://github.com/makeplane/plane/security/advisories/GHSA-rcg8-g69v-x23j

Source: security-advisories@github.com

ExploitVendor Advisory

https://github.com/makeplane/plane/security/advisories/GHSA-rcg8-g69v-x23j

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitVendor Advisory

Timeline

No history available yet.