Plane - Server Side Request Forgery (SSRF)

vendor:

Plane

by:

Saud Alenazi

7.1

CVSS

HIGH

Server Side Request Forgery (SSRF)

918

CWE

Product Name: Plane

Affected Version From: v0.23.1

Affected Version To: v0.23.1

Patch Exists: NO

Related CWE: CVE-2024-XXXX (To be assigned)

CPE: a:makeplane:plane:0.23.1

Metasploit:

Other Scripts:

Platforms Tested: Windows 10 x64

2024

Plane – Server Side Request Forgery (SSRF)

A Server-Side Request Forgery (SSRF) vulnerability was found in the password recovery feature of Plane application. This vulnerability enables attackers to manipulate the email input field and insert a payload to force the server to send HTTP requests to domains controlled by the attacker.

Mitigation:

To mitigate this vulnerability, validate and sanitize user inputs before processing them. Additionally, restrict the server from making requests to external domains.

Source

Plane – Server Side Request Forgery (SSRF)

Mitigation:

Exploit-DB raw data: