{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-55203", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-08-08T21:55:07.965Z", "datePublished": "2025-08-15T15:06:00.636Z", "dateUpdated": "2025-08-15T19:09:18.212Z"}, "containers": {"cna": {"title": "Plane Stored XSS in Add Work Item Functionality", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/makeplane/plane/security/advisories/GHSA-rwjc-xhh3-m9m9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/makeplane/plane/security/advisories/GHSA-rwjc-xhh3-m9m9"}, {"name": "https://drive.google.com/file/d/1lQzQJ9Eun6xmcxyyAkr5ORyIrfw9ys5w/view?usp=sharing", "tags": ["x_refsource_MISC"], "url": "https://drive.google.com/file/d/1lQzQJ9Eun6xmcxyyAkr5ORyIrfw9ys5w/view?usp=sharing"}], "affected": [{"vendor": "makeplane", "product": "plane", "versions": [{"version": "< 0.28.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-15T15:06:00.636Z"}, "descriptions": [{"lang": "en", "value": "Plane is open-source project management software. Prior to version 0.28.0, a stored cross-site scripting (XSS) vulnerability exists in the description_html field of Plane. This flaw allows an attacker to inject malicious JavaScript code that is stored and later executed in other users\u2019 browsers. The description_html field is not properly sanitized or escaped. An attacker can submit crafted JavaScript payloads that are saved in the application\u2019s database. When another user views the affected content, the injected code executes in their browser, running in the application\u2019s context and bypassing standard security protections. Successful exploitation can lead to session hijacking, theft of sensitive information, or forced redirection to malicious sites. The vulnerability can also be chained with CSRF attacks to perform unauthorized actions, or leveraged to distribute malware and exploit additional browser vulnerabilities. This issue has been patched in version 0.28.0."}], "source": {"advisory": "GHSA-rwjc-xhh3-m9m9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-15T19:09:07.531262Z", "id": "CVE-2025-55203", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-15T19:09:18.212Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-55203", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-15T19:09:07.531262Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-15T19:09:13.630Z"}}], "cna": {"title": "Plane Stored XSS in Add Work Item Functionality", "source": {"advisory": "GHSA-rwjc-xhh3-m9m9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "makeplane", "product": "plane", "versions": [{"status": "affected", "version": "< 0.28.0"}]}], "references": [{"url": "https://github.com/makeplane/plane/security/advisories/GHSA-rwjc-xhh3-m9m9", "name": "https://github.com/makeplane/plane/security/advisories/GHSA-rwjc-xhh3-m9m9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://drive.google.com/file/d/1lQzQJ9Eun6xmcxyyAkr5ORyIrfw9ys5w/view?usp=sharing", "name": "https://drive.google.com/file/d/1lQzQJ9Eun6xmcxyyAkr5ORyIrfw9ys5w/view?usp=sharing", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Plane is open-source project management software. Prior to version 0.28.0, a stored cross-site scripting (XSS) vulnerability exists in the description_html field of Plane. This flaw allows an attacker to inject malicious JavaScript code that is stored and later executed in other users\u2019 browsers. The description_html field is not properly sanitized or escaped. An attacker can submit crafted JavaScript payloads that are saved in the application\u2019s database. When another user views the affected content, the injected code executes in their browser, running in the application\u2019s context and bypassing standard security protections. Successful exploitation can lead to session hijacking, theft of sensitive information, or forced redirection to malicious sites. The vulnerability can also be chained with CSRF attacks to perform unauthorized actions, or leveraged to distribute malware and exploit additional browser vulnerabilities. This issue has been patched in version 0.28.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-15T15:06:00.636Z"}}}, "cveMetadata": {"cveId": "CVE-2025-55203", "state": "PUBLISHED", "dateUpdated": "2025-08-15T19:09:18.212Z", "dateReserved": "2025-08-08T21:55:07.965Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-08-15T15:06:00.636Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Plane is open-source project management software. Prior to version 0.28.0, a stored cross-site scripting (XSS) vulnerability exists in the description_html field of Plane. This flaw allows an attacker to inject malicious JavaScript code that is stored and later executed in other users\u2019 browsers. The description_html field is not properly sanitized or escaped. An attacker can submit crafted JavaScript payloads that are saved in the application\u2019s database. When another user views the affected content, the injected code executes in their browser, running in the application\u2019s context and bypassing standard security protections. Successful exploitation can lead to session hijacking, theft of sensitive information, or forced redirection to malicious sites. The vulnerability can also be chained with CSRF attacks to perform unauthorized actions, or leveraged to distribute malware and exploit additional browser vulnerabilities. This issue has been patched in version 0.28.0."}], "id": "CVE-2025-55203", "lastModified": "2025-08-15T15:15:32.787", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-08-15T15:15:32.787", "references": [{"source": "[email protected]", "url": "https://drive.google.com/file/d/1lQzQJ9Eun6xmcxyyAkr5ORyIrfw9ys5w/view?usp=sharing"}, {"source": "[email protected]", "url": "https://github.com/makeplane/plane/security/advisories/GHSA-rwjc-xhh3-m9m9"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "[email protected]", "type": "Primary"}]}

{}