Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Plane IDOR: Cross-Project Issue Date Modification via Bulk Update Endpoint
Vulnerability Description
Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBulkUpdateDateEndpoint allows a project member (ADMIN or MEMBER) to modify the start_date and target_date of ANY issue across the entire Plane instance, regardless of workspace or project membership. The endpoint fetches issues by ID without filtering by workspace or project, enabling cross-boundary data modification. This vulnerability is fixed in 1.3.0.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Vulnerability Type
通过用户控制密钥绕过授权机制
Vulnerability Title
Plane 安全漏洞
Vulnerability Description
Plane是Plane开源的一个开源、自托管的项目规划工具。 Plane 1.3.0之前版本存在安全漏洞,该漏洞源于IssueBulkUpdateDateEndpoint缺少工作区或项目过滤,可能导致跨边界数据修改。
CVSS Information
N/A
Vulnerability Type
N/A