CVE-2025-55203
BaseFortify
Publication date: 2025-08-15
Last updated on: 2025-08-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| makeplane | plane | 0.27.1 |
| makeplane | plane | 0.28.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored cross-site scripting (XSS) flaw in the Plane project management software prior to version 0.28.0. It occurs because the description_html field does not properly sanitize or escape user input, allowing attackers to inject malicious JavaScript code. This code is stored in the application's database and executed in other users' browsers when they view the affected content, running in the application's context and bypassing security protections.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to session hijacking, theft of sensitive information, forced redirection to malicious sites, unauthorized actions via CSRF attack chaining, distribution of malware, and exploitation of additional browser vulnerabilities.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Plane to version 0.28.0 or later, as this version contains the patch that fixes the stored cross-site scripting (XSS) vulnerability in the description_html field. Additionally, avoid using vulnerable versions prior to 0.28.0 to prevent exploitation.