Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
In plane.io, a Guest User to a Workspace can still be able to see list of members
Vulnerability Description
Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https[:]//app[.]plane[.]so/[:]slug/settings. Prior to Plane version 1.2.0, a problem occurs when the `/api/workspaces/:slug/members/` is accessible by guest and able to list of users on a specific workspace that they joined. Since the `display_name` in the response is actually the handler of the email, a malicious guest can still identify admin users' email addresses. Version 1.2.0 fixes this issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Vulnerability Type
访问控制不恰当
Vulnerability Title
Plane 访问控制错误漏洞
Vulnerability Description
Plane是Plane开源的一个开源、自托管的项目规划工具。 Plane 1.2.0之前版本存在访问控制错误漏洞,该漏洞源于访客用户可访问特定工作区成员列表并识别管理员电子邮件地址,可能导致信息泄露。
CVSS Information
N/A
Vulnerability Type
N/A