Lucene search

[email protected]CVE-2023-30791

HistoryJul 15, 2023 - 7:15 p.m.

CVE-2023-30791

2023-07-1519:15:09

CWE-434

[email protected]

web.nvd.nist.gov

cve-2023-30791

html file upload

javascript execution

plane version 0.7.1-dev

security vulnerability

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

4.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.1%

JSON

Plane version 0.7.1-dev allows an attacker to change the avatar of his profile, which allows uploading files with HTML extension that interprets both HTML and JavaScript.

Affected configurations

NVD

Node

planeplaneMatch0.7.1

CPENameOperatorVersion
plane:planeplaneeq0.7.1

CPE	Name	Operator	Version
plane:plane	plane	eq	0.7.1

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Linux"
    ],
    "product": "Plane",
    "vendor": "Plane",
    "versions": [
      {
        "status": "affected",
        "version": "0.7.1"
      }
    ]
  }
]

References

fluidattacks.com/advisories/indio/

github.com/makeplane/plane

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

4.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.1%

JSON

Related for CVE-2023-30791

osv1 nvd1 prion1 cvelist1