I4Bdullah

**Name of the Vulnerable Software and Affected Versions** Plane versions prior to 0.23 **Description** The issue concerns insecure permissions in the `UserSerializer` that allow users to modify fields intended to be read-only, such as the `email`. This can potentially lead to account takeover when combined with another issue like cross-site scripting (XSS). **Recommendations** For versions prior to 0.23, update to version 0.23 to resolve the issue. As a temporary workaround, consider restricting access to the `UserSerializer` to prevent unauthorized changes to read-only fields.

**Name of the Vulnerable Software and Affected Versions** Plane versions prior to 0.23 **Description** A cross-site scripting (XSS) vulnerability has been identified in Plane. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image. **Recommendations** For versions prior to 0.23, update to version 0.23 or later to resolve the issue. As a temporary workaround, consider disabling the ability to upload SVG files as profile images until a patch is available. Restrict access to the profile image feature to minimize the risk of exploitation. Avoid using the profile image feature with SVG files until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The issue allows an authenticated user with the privilege to add or edit annotations on the Content tab to craft a malicious annotation. This malicious annotation can be executed on the annotations page, specifically in the Annotation Text Column. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.