Cross site request forgery (csrf)

An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an API request and get the columns of a specific table within the CIP database...

Cross site request forgery (csrf)

An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an HTTP GET request to HealthPage.aspx and obtain the internal server name...

Code injection

An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. Upload.ashx allows remote attackers to execute arbitrary code by uploading and executing an ASHX file...

Cross site request forgery (csrf)

An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an HTTP POST request and inject SQL statements in the user context of the db owner...

Default credentials

An issue was discovered in CIPPlanner CIPAce 6.80 Build 2016031401. GetDistributedPOP3 allows attackers to obtain the username and password of the SMTP user...

CVE-2020-11586

An XXE issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an API request that contains malicious XML DTD data...

CVE-2020-11586

CIPPlanner CIPAce 9.1 Build 2019092801 is affected by an XXE in the API that accepts XML DTD data. An unauthenticated, network-based attacker can exploit this via crafted XML requests. CVSSv3.1/2.0 scores indicate High to Critical impact on confidentiality, integrity, and availability (base 9.8, ...

CVE-2020-11587

CVE-2020-11587 affects CIPPlanner CIPAce 9.1 Build 2019092801, where an unauthenticated attacker can issue an API request and read the contents of ETL Processes running on the server. The connected records consistently describe this exposure but do not provide a vendor-provided fix or version-spe...

CVE-2020-11587

An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an API request and get the content of ETL Processes running on the server...

CVE-2020-11588

An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an HTTP GET request to two files that contain customer data and application paths...

CVE-2020-11588

CVE-2020-11588 affects CIPPlanner CIPAce 9.1 Build 2019092801. The vulnerability allows an unauthenticated attacker to perform an HTTP GET that accesses two files containing customer data and application paths. Root cause and exact technical details are not explicitly provided in the connected do...

CVE-2020-11589

CIPPlanner CIPAce 9.1 Build 2019092801 is affected by an Insecure Direct Object Reference information-disclosure vulnerability (CVE-2020-11589). An unauthenticated attacker can issue a GET request to a URL and access data that should be restricted to authenticated users. CVSSv3.1 vector and base ...

CVE-2020-11589

An Insecure Direct Object Reference issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make a GET request to a certain URL and obtain information that should be provided to authenticated users only...

CVE-2020-11590

CVE-2020-11590 affects CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can issue an HTTP GET to HealthPage.aspx and obtain the internal server name, exposing server identity. The core issue is a information disclosure via HealthPage.aspx; CVSS vectors from the NVD indicate med...

CVE-2020-11590

An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an HTTP GET request to HealthPage.aspx and obtain the internal server name...

CVE-2020-11591

CVE-2020-11591 affects CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can trigger an API request to reveal the full application path and the customer name, exposing sensitive configuration/identity information. The incident is described across multiple sources (Red Hat, CNVD,...

CVE-2020-11591

An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an API request and obtain the full application path along with the customer name...

CVE-2020-11592

CVE-2020-11592 affects CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can issue an API request and enumerate the columns of a table in the CIP database, exposing potential schema and column-level information. According to the linked disclosures, impact is information disclosu...

CVE-2020-11592

An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an API request and get the columns of a specific table within the CIP database...

CVE-2020-11593

An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an HTTP POST request with injected HTML data that is later leveraged to send emails from a customer trusted email address...