Impact
In Plane CE 1.3.1 the description_html field of intake work items can be populated with arbitrary HTML or JavaScript when the item is created via the API v1 intake endpoint. Because the payload is stored and rendered without proper escaping, a low-privileged project member can embed malicious code that will execute in the browsers of any user who later opens the work item, potentially leading to session hijacking, credential theft, or phishing attacks. The weakness corresponds to CWE-79.
Affected Systems
Plane CE 1.3.1 on Linux, macOS and Windows is affected; the vulnerability exists only in that release according to the available data.
Risk and Exploitability
The CVSS score of 6.9 signifies moderate severity while the EPSS score, being less than 1% at the time of analysis, indicates a very low probability of exploitation. The flaw is not listed in CISA’s KEV catalog. Although the attacker only needs a project-member role, the stored nature of the XSS means any user who views the compromised item is at risk, making the attack path straightforward but limited in scale.
OpenCVE Enrichment