CVE-2025-55203

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://drive.google.com/file/d/1lQzQJ9Eun6xmcxyyAkr5ORyIrfw9ys5w/view?usp=sharing", "name": "https://drive.google.com/file/d/1lQzQJ9Eun6xmcxyyAkr5ORyIrfw9ys5w/view?usp=sharing", "tags": [], "refsource": ""}, {"url": "https://github.com/makeplane/plane/security/advisories/GHSA-rwjc-xhh3-m9m9", "name": "https://github.com/makeplane/plane/security/advisories/GHSA-rwjc-xhh3-m9m9", "tags": [], "refsource": ""}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Plane is open-source project management software. Prior to version 0.28.0, a stored cross-site scripting (XSS) vulnerability exists in the description_html field of Plane. This flaw allows an attacker to inject malicious JavaScript code that is stored and later executed in other users\u2019 browsers. The description_html field is not properly sanitized or escaped. An attacker can submit crafted JavaScript payloads that are saved in the application\u2019s database. When another user views the affected content, the injected code executes in their browser, running in the application\u2019s context and bypassing standard security protections. Successful exploitation can lead to session hijacking, theft of sensitive information, or forced redirection to malicious sites. The vulnerability can also be chained with CSRF attacks to perform unauthorized actions, or leveraged to distribute malware and exploit additional browser vulnerabilities. This issue has been patched in version 0.28.0."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-79"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2025-55203", "ASSIGNER": "security-advisories@github.com"}}, "impact": {}, "publishedDate": "2025-08-15T15:15Z", "configurations": {"nodes": [], "CVE_data_version": "4.0"}, "lastModifiedDate": "2025-08-18T20:16Z"}