CVE-2023-30791

EUVD-2023-35153
Plane version 0.7.1-dev allows an attacker to change the avatar of his profile, which allows uploading files with HTML extension that interprets both HTML and JavaScript.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.1 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Fluid AttacksCNA
7.1 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 24%
Affected Products (NVD)
VendorProductVersion
planeplane
0.7.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://fluidattacks.com/advisories/indio/
https://github.com/makeplane/plane
https://fluidattacks.com/advisories/indio/
https://github.com/makeplane/plane