CVE-2020-11593

Name of the Vulnerable Software and Affected Versions CIPPlanner CIPAce version 9.1 Build 2019092801

Description An issue allows an unauthenticated attacker to make an HTTP POST request with injected HTML data. This injected data is later used to send emails from a customer's trusted email address.

Recommendations For CIPPlanner CIPAce version 9.1 Build 2019092801, consider restricting access to the HTTP POST endpoint to prevent injected HTML data until a patch is available. As a temporary workaround, monitor email activity from customer trusted email addresses for suspicious behavior. At the moment, there is no information about a newer version that contains a fix for this vulnerability.