Overview

A cross-site scripting (XSS) vulnerability has been identified in Plane versions prior to 0.23. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image.

Affected Services

Product: Plane API Service
Versions: < 0.23
Component: Profile Image Upload Feature
Platform: All platforms where Plane is deployed

Problem Description

The application allows users to upload SVG files as profile images without proper sanitization. SVG files can contain embedded JavaScript code that executes when the image is rendered in a browser. This creates an XSS vulnerability where malicious code can be executed in the context of other users' sessions.

Technical Impact

• Allows execution of arbitrary JavaScript code in victims' browsers
• Potential theft of session tokens and sensitive data
• Ability to perform unauthorized actions on behalf of the victim
• Possible escalation to more severe attacks through initial JavaScript execution

Attack Vectors

• Attacker uploads a specially crafted SVG file as their profile image
• The SVG file contains embedded JavaScript code
• When other users view the attacker's profile or any page displaying the profile image, the malicious code executes

Proof of Concept

The following SVG content demonstrates the vulnerability:

<svg xmlns="http://www.w3.org/2000/svg" width="400" height="400" viewBox="0 0 124 124" fill="none">
<rect width="124" height="124" rx="24" fill="#000000"/>
   <script type="text/javascript">  
      alert(0x539);
   </script>
</svg>

Recommended Actions

• Upgrade to Plane version 0.23 or later
• If immediate upgrade is not possible, Configure Content Security Policy (CSP) headers to prevent script execution from uploaded content