CVE-2025-48070
MEDIUM EPSS 13.3%
Published May 21, 20251y ago · Modified Jun 17, 20262w ago
4.3 CVSS 3.1
Published May 21, 2025 1y ago
Last Modified Jun 17, 2026 2w ago
Description
Plane is open-source project management software. Versions prior to 0.23 have insecure permissions in UserSerializer that allows users to change fields that are meant to be read-only, such as email. This can lead to account takeover when chained with another vulnerability such as cross-site scripting (XSS). Version 0.23 fixes the issue.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Low
Availability None
Threat Intelligence
EPSS Exploit Probability
13.3% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-276
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| plane | plane | * | <0.23.0 |
References 2
- github.com https://github.com/makeplane/plane/commit/0a8cc24da505fd519fcc3c9d6b5e15bc7ce21b29
- github.com https://github.com/makeplane/plane/security/advisories/GHSA-cjh4-q763-cc48
Remediation
- github.com https://github.com/makeplane/plane/commit/0a8cc24da505fd519fcc3c9d6b5e15bc7ce21b29