CVE-2025-48070

Plane is open-source project management software. Versions prior to 0.23 have insecure permissions in UserSerializer that allows users to change fields that are meant to be read-only, such as email. This can lead to account takeover when chained with another vulnerability such as cross-site scripting (XSS). Version 0.23 fixes the issue.

CVSS v3 3.5 LOW

3.5^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/makeplane/plane/commit/0a8cc24da505fd519fcc3c9d6b5e15bc7ce21b29
https://github.com/makeplane/plane/security/advisories/GHSA-cjh4-q763-cc48
https://github.com/makeplane/plane/security/advisories/GHSA-cjh4-q763-cc48

Configurations

No configuration.

History

22 May 2025, 16:15

Type	Values Removed	Values Added
Summary		(es) Plane es un software de gestión de proyectos de código abierto. Las versiones anteriores a la 0.23 tienen permisos inseguros en UserSerializer, lo que permite a los usuarios modificar campos de solo lectura, como el correo electrónico. Esto puede provocar el robo de cuentas al combinarse con otra vulnerabilidad, como cross-site scripting (XSS). La versión 0.23 corrige este problema.
References	~~() https://github.com/makeplane/plane/security/advisories/GHSA-cjh4-q763-cc48 -~~	() https://github.com/makeplane/plane/security/advisories/GHSA-cjh4-q763-cc48 -

21 May 2025, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-21 22:15

Updated : 2025-05-23 15:55

NVD link : CVE-2025-48070

Mitre link : CVE-2025-48070

CVE.ORG link : CVE-2025-48070

JSON object : View

Products Affected

No product.

CWE

CWE-276

Incorrect Default Permissions

3.5 /10