Plane 0.7.1 - Insecure file upload
Summary
| Name | Plane v0.7.1 - Insecure file upload |
| Code name | |
| Product | Plane |
| Affected versions | 0.7.1 |
| State | Public |
| Release date | 2023-07-14 |
Vulnerability
| Kind | Insecure file upload |
| Rule | |
| Remote | Yes |
| CVSSv3.1 Vector | CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
| CVSSv3.1 Base Score | 7.1 |
| Exploit available | Yes |
| CVE ID(s) |
Description
Plane version 0.7.1-dev allows an attacker to change the avatar of his profile, which allows uploading files with HTML extension that interprets both HTML and JavaScript.
Vulnerability
The vulnerability arises when uploading files other than JPG and PNG which it says is allowed, since files of all file extensions and sizes can be uploaded and stored without validation. Then an attacker can upload an HTML file as a profile avatar, and it may contain malicious JavaScript code stored with which they can steal session cookies from users and the administrator.
Exploit
Evidence of exploitation
Log in with any user and go to the menu and go to "Settings -> General -> Logo (Upload)" we create a file with HTML extension which inside sends in a request to an attacker's server the user's cookies.
Once the attacker obtains the cookies he can use them to log into the user's account and as seen in this example gain full control of the account to delete, create, view.
Our security policy
We have reserved the CVE-2023-30791 to refer to this issue from now on.
System Information
-
Version: Plane 0.7.1
-
Operating System: GNU/Linux
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Lautaro Casanova from Fluid Attacks' Offensive Team.
References
Vendor page https://github.com/makeplane/plane
Timeline
2023-06-16
Vulnerability discovered.
2023-06-16
Vendor contacted.
2023-06-23
Vendor Confirmed the vulnerability.
2023-07-14
Public Disclosure.
