Lucene search

GoogleOSV:CVE-2023-30791

HistoryJul 15, 2023 - 7:15 p.m.

CVE-2023-30791

2023-07-1519:15:09

Google

osv.dev

cve-2023-30791

attacker

avatar

profile

html

javascript

unauthorized

upload

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

6.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.2%

JSON

Plane version 0.7.1-dev allows an attacker to change the avatar of his profile, which allows uploading files with HTML extension that interprets both HTML and JavaScript.

CPENameOperatorVersion
planeeq0.2.1-de
planeeq0.4-de
planeeq0.3.1-de
planeeq0.7.1-de
planeeq0.1-de
planeeq0.2-de
planeeq0.7-de
planeeq0.6-de
planeeq0.5-de

Name	Operator	Version
plane	eq	0.2.1-de
plane	eq	0.4-de
plane	eq	0.3.1-de
plane	eq	0.7.1-de
plane	eq	0.1-de
plane	eq	0.2-de
plane	eq	0.7-de
plane	eq	0.6-de
plane	eq	0.5-de

References

fluidattacks.com/advisories/indio/

github.com/makeplane/plane

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

6.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.2%

JSON

Related for OSV:CVE-2023-30791