Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Plane Vulnerable to Full Read SSRF via Favicon Fetching in "Add Link" Feature
Vulnerability Description
Plane is an an open-source project management tool. Prior to version 1.2.2, a Full Read Server-Side Request Forgery (SSRF) vulnerability has been identified in the "Add Link" feature. This flaw allows an authenticated attacker with general user privileges to send arbitrary GET requests to the internal network and exfiltrate the full response body. By exploiting this vulnerability, an attacker can steal sensitive data from internal services and cloud metadata endpoints. Version 1.2.2 fixes the issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Vulnerability Type
服务端请求伪造(SSRF)
Vulnerability Title
Plane 代码问题漏洞
Vulnerability Description
Plane是Plane开源的一个开源、自托管的项目规划工具。 Plane 1.2.2之前版本存在代码问题漏洞,该漏洞源于添加链接功能中存在完全读取服务端请求伪造漏洞,允许具有一般用户权限的经过身份验证的攻击者向内部网络发送任意GET请求并泄露完整响应主体,可能导致从内部服务和云元数据端点窃取敏感数据。
CVSS Information
N/A
Vulnerability Type
N/A