PT-2025-22443 · Plane · Plane
I4Bdullah
·
Published
2025-05-21
·
Updated
2025-05-22
·
CVE-2025-48070
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Plane versions prior to 0.23
Description
The issue concerns insecure permissions in the
UserSerializer that allow users to modify fields intended to be read-only, such as the email. This can potentially lead to account takeover when combined with another issue like cross-site scripting (XSS).Recommendations
For versions prior to 0.23, update to version 0.23 to resolve the issue. As a temporary workaround, consider restricting access to the
UserSerializer to prevent unauthorized changes to read-only fields.Exploit
Fix
LPE
Incorrect Default Permissions
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Plane