Cipace

cipace

Vendor: Cipplanner • 18 CVEs

CVEs (18)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-50619 1Cipplanner 1Cipace Feb 13, 2026 Feb 11, 2026 N/A· v4 8.8 HIGH· v3 N/A· v2 Vulnerabilities in the My Account and User Management components in CIPPlanner CIPAce before 9.17 allows attackers to escalate their access levels. A low-privileged authenticated user can gain access to other people's ac...Show more Vulnerabilities in the My Account and User Management components in CIPPlanner CIPAce before 9.17 allows attackers to escalate their access levels. A low-privileged authenticated user can gain access to other people's accounts by tampering with the client's user id to change their account information. A low-privileged authenticated user can elevate his or her system privileges by modifying the information of a user role that is disabled in the client.Show less
CVE-2024-50617 1Cipplanner 1Cipace Feb 13, 2026 Feb 11, 2026 N/A· v4 7.5 HIGH· v3 N/A· v2 Vulnerabilities in the File Download and Get File handler components in CIPPlanner CIPAce before 9.17 allow attackers to download unauthorized files. An authenticated user can easily change the file id parameter or pass...Show more Vulnerabilities in the File Download and Get File handler components in CIPPlanner CIPAce before 9.17 allow attackers to download unauthorized files. An authenticated user can easily change the file id parameter or pass the physical file path in the URL query string to retrieve the files. (Retrieval is not intended without correct data access configured for documents.)Show less
CVE-2024-50620 1Cipplanner 1Cipace Feb 20, 2026 Feb 11, 2026 N/A· v4 8.8 HIGH· v3 N/A· v2 Unrestricted Upload of File with Dangerous Type vulnerabilities exist in the rich text editor and document manage components in CIPPlanner CIPAce before 9.17. An authorized user can upload executable files when inserting...Show more Unrestricted Upload of File with Dangerous Type vulnerabilities exist in the rich text editor and document manage components in CIPPlanner CIPAce before 9.17. An authorized user can upload executable files when inserting images in the rich text editor, and upload executable files when uploading files on the document management page. Those executables can be executed if they are not stored in a shared directory or if the storage directory has executed permissions.Show less
CVE-2024-50618 1Cipplanner 1Cipace Feb 17, 2026 Feb 11, 2026 N/A· v4 4.3 MEDIUM· v3 N/A· v2 A Use of Single-factor Authentication vulnerability in the Authentication component of CIPPlanner CIPAce before 9.17 allows attackers to bypass a protection mechanism. When the system is configured to allow login with in...Show more A Use of Single-factor Authentication vulnerability in the Authentication component of CIPPlanner CIPAce before 9.17 allows attackers to bypass a protection mechanism. When the system is configured to allow login with internal accounts, an attacker can possibly obtain full authentication if the secret in a single-factor authentication scheme gets compromised.Show less
CVE-2020-11587 1Cipplanner 1Cipace Nov 21, 2024 Apr 6, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an API request and get the content of ETL Processes running on the server.
CVE-2020-11586 1Cipplanner 1Cipace Nov 21, 2024 Apr 6, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An XXE issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an API request that contains malicious XML DTD data.
CVE-2020-11599 1Cipplanner 1Cipace Nov 21, 2024 Apr 6, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue was discovered in CIPPlanner CIPAce 6.80 Build 2016031401. GetDistributedPOP3 allows attackers to obtain the username and password of the SMTP user.
CVE-2020-11598 1Cipplanner 1Cipace Nov 21, 2024 Apr 6, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. Upload.ashx allows remote attackers to execute arbitrary code by uploading and executing an ASHX file.
CVE-2020-11597 1Cipplanner 1Cipace Nov 21, 2024 Apr 6, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an HTTP POST request and inject SQL statements in the user context of the db owner.
CVE-2020-11596 1Cipplanner 1Cipace Nov 21, 2024 Apr 6, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A Directory Traversal issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make HTTP GET requests to a certain URL and obtain information about what files and directories reside...Show more A Directory Traversal issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make HTTP GET requests to a certain URL and obtain information about what files and directories reside on the server.Show less
CVE-2020-11595 1Cipplanner 1Cipace Nov 21, 2024 Apr 6, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an API request and obtain the upload folder path that includes the hostname in a UNC path.
CVE-2020-11594 1Cipplanner 1Cipace Nov 21, 2024 Apr 6, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an API request that causes a stack error to be shown providing the full file path.
CVE-2020-11593 1Cipplanner 1Cipace Nov 21, 2024 Apr 6, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an HTTP POST request with injected HTML data that is later leveraged to send emails from a customer trusted email ad...Show more An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an HTTP POST request with injected HTML data that is later leveraged to send emails from a customer trusted email address.Show less
CVE-2020-11592 1Cipplanner 1Cipace Nov 21, 2024 Apr 6, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an API request and get the columns of a specific table within the CIP database.
CVE-2020-11591 1Cipplanner 1Cipace Nov 21, 2024 Apr 6, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an API request and obtain the full application path along with the customer name.
CVE-2020-11590 1Cipplanner 1Cipace Nov 21, 2024 Apr 6, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an HTTP GET request to HealthPage.aspx and obtain the internal server name.
CVE-2020-11589 1Cipplanner 1Cipace Nov 21, 2024 Apr 6, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An Insecure Direct Object Reference issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make a GET request to a certain URL and obtain information that should be provided to au...Show more An Insecure Direct Object Reference issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make a GET request to a certain URL and obtain information that should be provided to authenticated users only.Show less
CVE-2020-11588 1Cipplanner 1Cipace Nov 21, 2024 Apr 6, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an HTTP GET request to two files that contain customer data and application paths.