CVE-2020-11586

Name of the Vulnerable Software and Affected Versions CIPPlanner CIPAce version 9.1 Build 2019092801

Description An XXE issue allows an unauthenticated attacker to make an API request containing malicious XML DTD data. This can be exploited through API endpoints, although the specific endpoint is not mentioned. The issue involves sending malicious XML DTD data, which can lead to unauthorized access or other malicious activities. No information is provided about the estimated number of potentially affected devices or real-world incidents.

Recommendations For CIPPlanner CIPAce version 9.1 Build 2019092801, consider restricting access to API endpoints that accept XML data until a patch is available. As a temporary workaround, disabling the processing of XML DTD data in API requests may help mitigate the risk. At the moment, there is no information about a newer version that contains a fix for this issue.