CVE-2024-50617

Name of the Vulnerable Software and Affected Versions CIPPlanner CIPAce versions prior to 9.17

Description The File Download and Get File handler components in CIPPlanner CIPAce are affected by a flaw that allows attackers to download unauthorized files. An authenticated user can manipulate the file id parameter or provide the physical file path directly in the URL query string to access files they are not authorized to retrieve. The issue arises because proper data access controls are not enforced for documents.

Recommendations Update to CIPPlanner CIPAce version 9.17 or later.