CVE-2023-30791 Information

Description

Plane version 0.7.1-dev allows an attacker to change the avatar of his profile which allows uploading files with HTML extension that interprets both HTML and JavaScript.

Reference

https://fluidattacks.com/advisories/indio/ https://github.com/makeplane/plane