Plane ORM Field Reference Injection Vulnerability in Saved Analytics Endpoint

A vulnerability allowing ORM field reference injection has been identified in Plane, an open-source project management tool, in versions through 1.3.0. The issue arises in the SavedAnalyticEndpoint, which improperly validates the user-controlled segment query parameter before passing it to a Django F() expression. This flaw allows authenticated workspace members to manipulate the segment value and extract sensitive information from related database fields, such as bcrypt password hashes, API tokens, and email addresses, by traversing foreign-key relationships. The extracted data is returned directly in the JSON response, creating a significant privacy risk.

Impact

Exploitation of this vulnerability allows an authenticated workspace member to access and extract sensitive information from any related model field, including password hashes, API tokens, and email addresses, with the extracted values returned directly in the API response.

Reproduction

To reproduce this vulnerability, an authenticated workspace member can send a GET request to the SavedAnalyticEndpoint with a crafted segment parameter that references a sensitive field, such as 'workspace__owner__password' or 'assignees__email'. The response will include the requested field values, demonstrating the successful exploitation of the ORM field reference injection.

Remediation

Users can upgrade to Plane version 1.3.1, which addresses this vulnerability by adding proper validation to the segment parameter in the SavedAnalyticEndpoint, preventing unvalidated user input from being passed to Django's F() expressions.