CVE-2025-65922
BaseFortify
Publication date: 2026-01-05
Last updated on: 2026-01-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| plankanban | planka | 2.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1021 | The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows the application to be embedded within malicious iframes, exposing users to phishing attacks through UI redressing. While it does not lead to unauthorized modification or credential interception due to SameSite=Strict cookies and browser policies, it may increase the risk of users being tricked into entering sensitive information. This could potentially impact compliance with standards like GDPR and HIPAA, which require protection of user data and prevention of phishing attacks. However, the actual risk depends on user interaction and trust, and the supplier disputes the severity of the risk. Overall, the vulnerability may pose a compliance risk related to user data protection and phishing prevention. [1]
Can you explain this vulnerability to me?
PLANKA 2.0.0 lacks X-Frame-Options and Content Security Policy (CSP) frame-ancestors headers, which allows attackers to embed the application within malicious iframes on other websites. This embedding can be used to trick users through UI redressing or phishing attacks by making them believe they are interacting with the legitimate PLANKA application, potentially leading them to enter sensitive information into fake forms. However, the supplier disputes the severity, noting that SameSite=Strict cookies prevent authentication in cross-origin contexts, and browser security policies prevent unauthorized access or session establishment through such framing.
How can this vulnerability impact me? :
This vulnerability can expose users to phishing attacks by allowing attackers to embed the legitimate PLANKA application within malicious iframes, creating false trust. Users might be tricked into entering sensitive information or credentials into fake forms overlaid on the framed application. However, no unauthorized modification of projects or tasks is possible, and authentication is protected by SameSite=Strict cookies and browser policies, limiting the risk to phishing and UI redressing attacks that rely on user interaction and trust.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the PLANKA 2.0.0 application responses lack the X-Frame-Options and Content-Security-Policy (CSP) frame-ancestors headers. You can use curl commands to inspect the HTTP headers for these missing security headers. For example, run: curl -I https://your-planka-instance | grep -i 'X-Frame-Options' and curl -I https://your-planka-instance | grep -i 'Content-Security-Policy'. If these headers are missing or do not include frame-ancestors directives, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, configure the web server or application to include the X-Frame-Options header (e.g., DENY or SAMEORIGIN) and/or the Content-Security-Policy header with frame-ancestors directive restricting which origins can embed the application in iframes. This prevents the application from being embedded in malicious iframes, reducing the risk of UI redressing and phishing attacks.