Joel Aviad Ossi

**Name of the Vulnerable Software and Affected Versions** LatePoint Plugin versions up to and including 4.9.9 **Description** The issue is related to a missing capability check on the `start or use session for customer` function, allowing unauthorized access and modification of data. This enables unauthenticated attackers to view other customers' cabinets, including sensitive information such as email addresses, and change their LatePoint user password. **Recommendations** For versions up to and including 4.9.9, update to a version that includes a capability check on the `start or use session for customer` function to prevent unauthorized access and modification of data. As a temporary workaround, consider restricting access to the `start or use session for customer` function until a patch is available.