Description

Plane is open-source project management software. Versions prior to 0.23 have insecure permissions in UserSerializer that allows users to change fields that are meant to be read-only, such as email. This can lead to account takeover when chained with another vulnerability such as cross-site scripting (XSS). Version 0.23 fixes the issue.

INFO

Published Date :

2025-05-21T22:11:06.177Z

Last Modified :

2025-05-22T15:52:48.689Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-48070 vulnerability.

Vendors Products
Makeplane
  • Plane
Plane
  • Plane
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-48070.

URL Resource
https://github.com/makeplane/plane/commit/0a8cc24da505fd519fcc3c9d6b5e15bc7ce21b29 cve-icon cve-icon
https://github.com/makeplane/plane/security/advisories/GHSA-cjh4-q763-cc48 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact