Plane Profile Image Upload Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability exists in Plane versions prior to 0.23. This issue allows authenticated users to upload SVG files as profile images. These SVG files can contain malicious JavaScript that executes in the browsers of users viewing the profile image.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the victim's browser. This could lead to theft of session tokens and sensitive information, unauthorized actions on behalf of the victim, and potentially more severe attacks by escalating the initial JavaScript execution.

Reproduction

To reproduce this vulnerability, upload a crafted SVG file containing embedded JavaScript as a profile image. When another user views the profile or any page displaying the image, the JavaScript will execute.

Remediation

Users are advised to upgrade to Plane version 0.23 or later. If an immediate upgrade is not possible, configure Content Security Policy (CSP) headers to block script execution from uploaded content.