Aggregates CVE and security vulnerability intelligence across all cipplanner-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk path handling, vendor risk sql injection, and vendor risk xxe and related problems; some flaws may lead to vendor impact file overwrite and vendor impact data exposure.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2024-50619 | Vulnerabilities in the My Account and User Management components in CIPPlanner CIPAce before 9.17 allows attackers to escalate their access levels. A low-privileged authenticated user can gain access to other people's accounts by tampering with the client's user id to change their account information. A low-privileged authenticated user can elevate his or her system privileges by modifying the information of a user role that is disabled in the client. | [email protected] | 8.8 | 0.05% | 2026-02-11 | 2026-02-13 |
| CVE-2024-50617 | Vulnerabilities in the File Download and Get File handler components in CIPPlanner CIPAce before 9.17 allow attackers to download unauthorized files. An authenticated user can easily change the file id parameter or pass the physical file path in the URL query string to retrieve the files. (Retrieval is not intended without correct data access configured for documents.) | [email protected] | 7.5 | 0.05% | 2026-02-11 | 2026-02-13 |
| CVE-2024-50620 | Unrestricted Upload of File with Dangerous Type vulnerabilities exist in the rich text editor and document manage components in CIPPlanner CIPAce before 9.17. An authorized user can upload executable files when inserting images in the rich text editor, and upload executable files when uploading files on the document management page. Those executables can be executed if they are not stored in a shared directory or if the storage directory has executed permissions. | [email protected] | 8.8 | 0.06% | 2026-02-11 | 2026-02-20 |
| CVE-2024-50618 | A Use of Single-factor Authentication vulnerability in the Authentication component of CIPPlanner CIPAce before 9.17 allows attackers to bypass a protection mechanism. When the system is configured to allow login with internal accounts, an attacker can possibly obtain full authentication if the secret in a single-factor authentication scheme gets compromised. | [email protected] | 4.3 | 0.05% | 2026-02-11 | 2026-02-17 |
| CVE-2020-11587 | An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an API request and get the content of ETL Processes running on the server. | [email protected] | 7.5 | 0.97% | 2020-04-06 | 2024-11-21 |
| CVE-2020-11586 | An XXE issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an API request that contains malicious XML DTD data. | [email protected] | 9.8 | 1.91% | 2020-04-06 | 2024-11-21 |
| CVE-2020-11599 | An issue was discovered in CIPPlanner CIPAce 6.80 Build 2016031401. GetDistributedPOP3 allows attackers to obtain the username and password of the SMTP user. | [email protected] | 7.5 | 0.36% | 2020-04-06 | 2024-11-21 |
| CVE-2020-11598 | An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. Upload.ashx allows remote attackers to execute arbitrary code by uploading and executing an ASHX file. | [email protected] | 9.8 | 3.19% | 2020-04-06 | 2024-11-21 |
| CVE-2020-11597 | An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an HTTP POST request and inject SQL statements in the user context of the db owner. | [email protected] | 9.8 | 2.42% | 2020-04-06 | 2024-11-21 |
| CVE-2020-11596 | A Directory Traversal issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make HTTP GET requests to a certain URL and obtain information about what files and directories reside on the server. | [email protected] | 7.5 | 1.90% | 2020-04-06 | 2024-11-21 |
| CVE-2020-11595 | An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an API request and obtain the upload folder path that includes the hostname in a UNC path. | [email protected] | 7.5 | 0.97% | 2020-04-06 | 2024-11-21 |
| CVE-2020-11594 | An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an API request that causes a stack error to be shown providing the full file path. | [email protected] | 7.5 | 0.71% | 2020-04-06 | 2024-11-21 |
| CVE-2020-11593 | An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an HTTP POST request with injected HTML data that is later leveraged to send emails from a customer trusted email address. | [email protected] | 7.5 | 1.11% | 2020-04-06 | 2024-11-21 |
| CVE-2020-11592 | An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an API request and get the columns of a specific table within the CIP database. | [email protected] | 7.5 | 0.97% | 2020-04-06 | 2024-11-21 |
| CVE-2020-11591 | An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an API request and obtain the full application path along with the customer name. | [email protected] | 5.3 | 0.88% | 2020-04-06 | 2024-11-21 |
| CVE-2020-11590 | An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an HTTP GET request to HealthPage.aspx and obtain the internal server name. | [email protected] | 5.3 | 0.65% | 2020-04-06 | 2024-11-21 |
| CVE-2020-11589 | An Insecure Direct Object Reference issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make a GET request to a certain URL and obtain information that should be provided to authenticated users only. | [email protected] | 7.5 | 0.92% | 2020-04-06 | 2024-11-21 |
| CVE-2020-11588 | An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an HTTP GET request to two files that contain customer data and application paths. | [email protected] | 5.3 | 0.88% | 2020-04-06 | 2024-11-21 |