CVE-2025-62716
BaseFortify
Publication date: 2025-10-24
Last updated on: 2025-10-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| makeplane | plane | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an open redirect issue in the Plane project management software prior to version 1.1.0. It occurs in the ?next_path query parameter, which allows attackers to supply arbitrary schemes like javascript:. These are passed directly to router.push, leading to a cross-site scripting (XSS) vulnerability. This enables attackers to execute arbitrary JavaScript code in the victim's browser without authentication.
How can this vulnerability impact me? :
The vulnerability can have severe impacts including information disclosure, privilege escalation, and unauthorized modifications of administrative settings. Since it allows execution of arbitrary JavaScript in the victim's browser, attackers can potentially steal sensitive data or take control of user sessions.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Plane to version 1.1.0 or later, as this version contains the patch that fixes the open redirect and cross-site scripting vulnerability.