Plane Open-Source Project Management Software Open Redirect Vulnerability Leading to Cross-Site Scripting

A cross-site scripting (XSS) vulnerability has been identified in Plane, an open-source project management tool, prior to version 1.1.0. The issue arises from an open redirect vulnerability in the '?next_path' query parameter, which allows attackers to inject arbitrary schemes, such as 'javascript:'. These injected scripts are executed in the context of the user's browser, potentially leading to the execution of malicious JavaScript. The vulnerability can be exploited without authentication and has serious implications, including unauthorized access to sensitive information, privilege escalation, and unauthorized modifications to administrative settings.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can execute malicious JavaScript in the context of the victim's browser. This could be used to steal information, escalate privileges by creating admin accounts, or alter important settings like the SMTP server configuration.

Reproduction

To reproduce this vulnerability, an administrative user can inject JavaScript into the 'next_path' query parameter. For example, fetching the '/api/workspaces/<WORKSPACE>/invitations/' endpoint with a payload that creates a new admin account, or modifying the instance's SMTP configuration by sending a crafted request that includes the desired changes.

Remediation

Users are advised to update to Plane version 1.1.0 or later, where this vulnerability has been patched.