CVE-2024-47830

Published: Oct 11, 2024

Modified: Oct 15, 2024

PUBLISHED

CVSS v3.1

9.3

CRITICAL

Description

Plane is an open-source project management tool. Plane uses the ** wildcard support to retrieve the image from any hostname as in /web/next.config.js. This may permit an attacker to induce the server side into performing requests to unintended locations. This vulnerability is fixed in 0.23.0.

Vendor	Product	Versions
makeplane	plane	affected `< 0.23.0`

Weaknesses (CWE)

CWE-918

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

High

References

https://github.com/makeplane/plane/security/advisories/GHSA-39gx-38xf-c348

x_refsource_CONFIRM

https://github.com/makeplane/plane/commit/b9f78ba42b70461c8c1d26638fa8b9beef6a96a1

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-47830

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References