Plane Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Plane project management software, prior to version 0.28.0. The issue resides in the description_html field, which lacks proper sanitization, allowing attackers to inject malicious JavaScript. This injected code is executed in the context of other users' browsers, potentially leading to session hijacking, theft of sensitive information, or redirection to malicious sites. The vulnerability could also be combined with CSRF attacks to perform unauthorized actions, or used to distribute malware and exploit other browser vulnerabilities.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user viewing the content. This could result in session hijacking, theft of sensitive information, or unauthorized actions if combined with CSRF attacks. Additionally, the vulnerability could be used to distribute malware or exploit other browser vulnerabilities.

Reproduction

The vulnerability can be reproduced by injecting JavaScript payloads into the description_html field of Plane versions through 0.27.1. Once the payload is saved, it will execute in the browser of any user who views the affected content.

Remediation

Users can upgrade to Plane version 0.28.0 or later to address this vulnerability.