Headline

CVE-2023-30791: Plane 0.7.1 - Insecure file upload | Advisories | Fluid Attacks

Plane version 0.7.1-dev allows an attacker to change the avatar of his profile, which allows uploading files with HTML extension that interprets both HTML and JavaScript.

1 year ago

CVE

Open in Source

#vulnerability #linux #git #java

Indio

Summary

Name

Plane v0.7.1 - Insecure file upload

Code name

Indio

Product

Plane

Affected versions

0.7.1

State

Public

Release Date

2023-07-14

Vulnerability

Kind

Insecure file upload

Rule

027. Insecure file upload

Remote

Yes

CVSSv3 Vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSSv3 Base Score

7.1

Exploit available

Yes

CVE ID(s)

CVE-2023-30791

Description

Plane version 0.7.1-dev allows an attacker to change the avatar of his profile, which allows uploading files with HTML extension that interprets both HTML and JavaScript.

Vulnerability

The vulnerability arises when uploading files other than JPG and PNG which it says is allowed, since files of all file extensions and sizes can be uploaded and stored without validation. Then an attacker can upload an HTML file as a profile avatar, and it may contain malicious JavaScript code stored with which they can steal session cookies from users and the administrator.

Exploit

Evidence of exploitation

Log in with any user and go to the menu and go to "Settings -> General -> Logo (Upload)" we create a file with HTML extension which inside sends in a request to an attacker’s server the user’s cookies.

Once the attacker obtains the cookies he can use them to log into the user’s account and as seen in this example gain full control of the account to delete, create, view.

Our security policy

We have reserved the CVE-2023-30791 to refer to this issue from now on.