CVE-2023-40362

Name of the Vulnerable Software and Affected Versions CentralSquare Click2Gov Building Permit versions prior to October 2023

Description An issue was discovered in CentralSquare Click2Gov Building Permit, where lack of access control protections allows remote attackers to arbitrarily delete contractors from any user's account when the user ID and contractor information are known.

Recommendations For versions prior to October 2023, as a temporary workaround, consider restricting access to the user account management functionality until a patch is available. Avoid using the user ID and contractor information in sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.