Plane.io Guest User Workspace Member Enumeration Vulnerability

A vulnerability exists in Plane.io versions prior to 1.2.0, allowing guest users to access the '/api/workspaces/:slug/members/' endpoint. This endpoint, which should be restricted, enables guests to list members of specific workspaces they have joined. The issue arises because the 'display_name' in the response corresponds to the email handle, potentially allowing malicious guests to identify the email addresses of admin users. This vulnerability does not affect versions 1.2.0 and later.

Impact

Exploitation of this vulnerability allows guest users to view a list of workspace members, including the email addresses of admin users, which could be used for social engineering or other malicious purposes.

Reproduction

To reproduce this vulnerability, a guest account must be created and joined to a workspace. Once the account is active in the workspace, the '/api/workspaces/:slug/members/' endpoint can be accessed. The response will include the 'display_name' of all members, which reveals the email handles of admin users. This can be done using a simple HTTP GET request to the vulnerable endpoint.

Remediation

Users can upgrade to Plane version 1.2.0 or later, where this vulnerability has been fixed.