{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-21616", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-12-29T03:00:24.713Z", "datePublished": "2025-01-06T21:22:24.129Z", "dateUpdated": "2025-01-07T15:46:31.863Z"}, "containers": {"cna": {"title": "Plane has a Cross-site scripting (XSS) via SVG image upload", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/makeplane/plane/security/advisories/GHSA-rcg8-g69v-x23j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/makeplane/plane/security/advisories/GHSA-rcg8-g69v-x23j"}], "affected": [{"vendor": "makeplane", "product": "plane", "versions": [{"version": "< 0.23", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-01-06T21:22:24.129Z"}, "descriptions": [{"lang": "en", "value": "Plane is an open-source project management tool. A cross-site scripting (XSS) vulnerability has been identified in Plane versions prior to 0.23. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image."}], "source": {"advisory": "GHSA-rcg8-g69v-x23j", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/makeplane/plane/security/advisories/GHSA-rcg8-g69v-x23j", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-07T15:46:22.549814Z", "id": "CVE-2025-21616", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-07T15:46:31.863Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-21616", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-07T15:46:22.549814Z"}}}], "references": [{"url": "https://github.com/makeplane/plane/security/advisories/GHSA-rcg8-g69v-x23j", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-07T15:46:12.588Z"}}], "cna": {"title": "Plane has a Cross-site scripting (XSS) via SVG image upload", "source": {"advisory": "GHSA-rcg8-g69v-x23j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "makeplane", "product": "plane", "versions": [{"status": "affected", "version": "< 0.23"}]}], "references": [{"url": "https://github.com/makeplane/plane/security/advisories/GHSA-rcg8-g69v-x23j", "name": "https://github.com/makeplane/plane/security/advisories/GHSA-rcg8-g69v-x23j", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Plane is an open-source project management tool. A cross-site scripting (XSS) vulnerability has been identified in Plane versions prior to 0.23. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-01-06T21:22:24.129Z"}}}, "cveMetadata": {"cveId": "CVE-2025-21616", "state": "PUBLISHED", "dateUpdated": "2025-01-07T15:46:31.863Z", "dateReserved": "2024-12-29T03:00:24.713Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-01-06T21:22:24.129Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:plane:plane:*:*:*:*:*:*:*:*", "matchCriteriaId": "B71D6DB9-FD53-489A-AF83-855FBF28B78F", "versionEndExcluding": "0.23.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Plane is an open-source project management tool. A cross-site scripting (XSS) vulnerability has been identified in Plane versions prior to 0.23. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image."}, {"lang": "es", "value": "Plane es una herramienta de gesti\u00f3n de proyectos de c\u00f3digo abierto. Se ha identificado una vulnerabilidad de cross site scripting (XSS) en versiones de Plane anteriores a la 0.23. La vulnerabilidad permite a los usuarios autenticados cargar archivos SVG que contienen c\u00f3digo JavaScript malicioso como im\u00e1genes de perfil, que se ejecutan en los navegadores de las v\u00edctimas cuando ven la imagen de perfil."}], "id": "CVE-2025-21616", "lastModified": "2025-06-20T18:08:44.170", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-01-06T22:15:11.023", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/makeplane/plane/security/advisories/GHSA-rcg8-g69v-x23j"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/makeplane/plane/security/advisories/GHSA-rcg8-g69v-x23j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}