Plane v0.7.1 - Unauthorized access to files
7.5
High
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
Plane v0.7.1 - Insecure file upload
Code name
State
Public
Release date
Jul 14, 2023
Affected product
Plane
Affected version(s)
0.7.1
Vulnerability name
Insecure file upload
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVSS v3.1 base score
7.5
Exploit available
Yes
CVE ID(s)
Description
Plane version 0.7.1 allows an unauthenticated attacker to view all stored server files of all users.
Vulnerability
In the application users can change the photo of their avatar and upload different types of files of different extensions which are all stored in the same folder and there is no restriction. Any unauthenticated person can access and download the resources. Knowing that Plane is created to create issues on projects and manage them, this is critical, because if bugs are reported on an application, an attacker can obtain the evidence and files of the same issue.
Exploit
Evidence of exploitation
By accessing the /uploads/ directory you can see all the files stored on the server.
Our security policy
We have reserved the CVE-2023-2268 to refer to this issue from now on. Disclosure policy
System Information
Version: Plane 0.7.1
Operating System: GNU/Linux
Mitigation
There is currently no patch available for this vulnerability.
References
Vendor page https://github.com/makeplane/plane
Timeline
Vulnerability discovered
Jun 19, 2023
Vendor Confirmed Vuln.
Jun 23, 2023
Vendor contacted
Jun 20, 2023
Public disclosure
Jul 14, 2023
