Lucene search

Fluid AttacksCVE-2023-30791

HistoryJul 15, 2023 - 7:15 p.m.

CVE-2023-30791

2023-07-1519:15:09

CWE-434

Fluid Attacks

web.nvd.nist.gov

cve-2023-30791

html file upload

javascript execution

plane version 0.7.1-dev

security vulnerability

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

AI Score

4.7

Confidence

High

EPSS

0.001

Percentile

23.8%

JSON

Plane version 0.7.1-dev allows an attacker to change the avatar of his profile, which allows uploading files with HTML extension that interprets both HTML and JavaScript.

Affected configurations

Nvd

Node

planeplaneMatch0.7.1

VendorProductVersionCPE
planeplane0.7.1cpe:2.3:a:plane:plane:0.7.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
plane	plane	0.7.1	cpe:2.3:a:plane:plane:0.7.1:::::::*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Linux"
    ],
    "product": "Plane",
    "vendor": "Plane",
    "versions": [
      {
        "status": "affected",
        "version": "0.7.1"
      }
    ]
  }
]

References

fluidattacks.com/advisories/indio/

github.com/makeplane/plane

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

AI Score

4.7

Confidence

High

EPSS

0.001

Percentile

23.8%

JSON

Related for CVE-2023-30791