Planka X-Frame-Options and CSP Frame-Ancestors Header Missing Vulnerability

A vulnerability in Planka version 2.0.0 allows the application to be embedded in iframes without proper security headers, such as X-Frame-Options and Content Security Policy (CSP) frame-ancestors. This omission can expose users to phishing attacks by framing the legitimate Planka application on a malicious site, potentially tricking them into entering sensitive information or credentials into fake forms. While the supplier disputes the impact of this vulnerability, stating that Planka uses SameSite=Strict cookies to prevent cross-origin authentication and that no unauthorized actions or credential interception are possible, the absence of protective headers could still be exploited under certain conditions.

Impact

Exploitation of this vulnerability could lead to phishing attacks, with users being tricked into entering sensitive information or credentials into overlaid fake forms on a malicious site.