CVE-2025-48070

Published: May 21, 2025Modified: Jun 20, 2025

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

Plane is open-source project management software. Versions prior to 0.23 have insecure permissions in UserSerializer that allows users to change fields that are meant to be read-only, such as email. This can lead to account takeover when chained with another vulnerability such as cross-site scripting (XSS). Version 0.23 fixes the issue.

Affected (1)

Products: Plane: Plane

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Plane Plane	Before 0.23.0

Related CWEs

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

References (3)

https://github.com/makeplane/plane/commit/0a8cc24da505fd519fcc3c9d6b5e15bc7ce21b29

Source: security-advisories@github.com

Patch

https://github.com/makeplane/plane/security/advisories/GHSA-cjh4-q763-cc48

Source: security-advisories@github.com

ExploitVendor Advisory

https://github.com/makeplane/plane/security/advisories/GHSA-cjh4-q763-cc48

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitVendor Advisory

Timeline

No history available yet.