Plane version 0.7.1-dev allows an attacker to change the avatar of his profile, which allows uploading files with HTML extension that interprets both HTML and JavaScript.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/30xxx/CVE-2023-30791.json",
"cwe_ids": [
"CWE-434"
],
"cna_assigner": "Fluid Attacks"
}