CVE-2025-65922
📋 TL;DR
PLANKA 2.0.0 lacks X-Frame-Options and CSP frame-ancestors headers, allowing the application to be embedded in malicious iframes. This enables UI redressing attacks where attackers can frame the legitimate Planka interface on phishing sites to trick users into entering credentials. The vendor disputes the severity, noting SameSite=Strict cookies prevent session establishment in cross-origin contexts.
💻 Affected Systems
- PLANKA
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Users enter credentials into fake forms overlaid on the legitimate Planka interface, leading to credential theft and account compromise.
Likely Case
Phishing attacks where users are tricked into entering credentials on malicious sites that embed the legitimate Planka login page.
If Mitigated
Minimal impact due to SameSite=Strict cookies preventing session establishment, though phishing risk remains if users trust malicious parent pages.
🎯 Exploit Status
Exploitation requires user interaction and trust in malicious parent page; no technical bypass of SameSite=Strict cookies needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available; implement workarounds or upgrade if newer versions address this.
🔧 Temporary Workarounds
Add X-Frame-Options Header
allConfigure web server to add X-Frame-Options: DENY or SAMEORIGIN header to prevent framing.
For Apache: Header always set X-Frame-Options "DENY"
For Nginx: add_header X-Frame-Options "DENY" always;
Add CSP frame-ancestors Directive
allConfigure Content-Security-Policy header with frame-ancestors 'self' or 'none' to control framing.
For Apache: Header always set Content-Security-Policy "frame-ancestors 'self'"
For Nginx: add_header Content-Security-Policy "frame-ancestors 'self'" always;
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to add X-Frame-Options or CSP headers.
- Educate users about phishing risks and verify URLs before entering credentials.
🔍 How to Verify
Check if Vulnerable:
Use browser developer tools or curl to check HTTP headers: curl -I https://your-planka-url/ and verify absence of X-Frame-Options and CSP frame-ancestors.Check Version:
Check PLANKA version in application interface or configuration files; default install shows version on login page.Verify Fix Applied:
After applying workarounds, verify headers include X-Frame-Options: DENY or CSP with frame-ancestors 'self'.📡 Detection & Monitoring
Log Indicators:
- Unusual referrer headers or iframe embedding attempts in access logs.
Network Indicators:
- HTTP requests missing X-Frame-Options or CSP headers in responses.
SIEM Query:
Not applicable for this low-complexity vulnerability.