Plane 0.7.1 - Insecure file upload
7.1
High
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
Plane v0.7.1 - Insecure file upload
Code name
State
Public
Release date
Jul 14, 2023
Affected product
Plane
Affected version(s)
0.7.1
Vulnerability name
Insecure file upload
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVSS v3.1 base score
7.1
Exploit available
Yes
CVE ID(s)
Description
Plane version 0.7.1-dev allows an attacker to change the avatar of his profile, which allows uploading files with HTML extension that interprets both HTML and JavaScript.
Vulnerability
The vulnerability arises when uploading files other than JPG and PNG which it says is allowed, since files of all file extensions and sizes can be uploaded and stored without validation. Then an attacker can upload an HTML file as a profile avatar, and it may contain malicious JavaScript code stored with which they can steal session cookies from users and the administrator.
Exploit
Evidence of exploitation
Log in with any user and go to the menu and go to "Settings -> General -> Logo (Upload)" we create a file with HTML extension which inside sends in a request to an attacker's server the user's cookies.
Once the attacker obtains the cookies he can use them to log into the user's account and as seen in this example gain full control of the account to delete, create, view.
Our security policy
We have reserved the CVE-2023-30791 to refer to this issue from now on. Disclosure policy
System Information
Version: Plane 0.7.1
Operating System: GNU/Linux
Mitigation
There is currently no patch available for this vulnerability.
References
Vendor page https://github.com/makeplane/plane
Timeline
Vulnerability discovered
Jun 16, 2023
Vendor Confirmed Vuln.
Jun 23, 2023
Vendor contacted
Jun 16, 2023
Public disclosure
Jul 14, 2023
