CVE-2025-48070

MEDIUM EPSS 13.3%
Published May 21, 20251y ago · Modified Jun 17, 20262w ago
4.3 CVSS 3.1
Medium
Find Similar
Published May 21, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

Plane is open-source project management software. Versions prior to 0.23 have insecure permissions in UserSerializer that allows users to change fields that are meant to be read-only, such as email. This can lead to account takeover when chained with another vulnerability such as cross-site scripting (XSS). Version 0.23 fixes the issue.

CVSS Details

Base Score
4.3
Exploitability
2.8
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
13.3% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-276

Affected Products 1

VendorProductVersionRange
planeplane* <0.23.0

References 2

  • github.com https://github.com/makeplane/plane/commit/0a8cc24da505fd519fcc3c9d6b5e15bc7ce21b29
    Patch
  • github.com https://github.com/makeplane/plane/security/advisories/GHSA-cjh4-q763-cc48
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/makeplane/plane/commit/0a8cc24da505fd519fcc3c9d6b5e15bc7ce21b29
    Patch