CIPPlanner CIPAce Incorrect Access Control Vulnerability Allowing Privilege Escalation

A vulnerability in the My Account and User Management components of CIPPlanner CIPAce, prior to version 9.17, allows low-privileged authenticated users to escalate access levels. By manipulating the user ID on the client side, an attacker can access and modify account information of other users. Additionally, this vulnerability enables the modification of user roles displayed as read-only, potentially leading to unauthorized privilege escalation.

Impact

Exploitation of this vulnerability allows for incorrect access control, enabling unauthorized users to access and modify other users' account information and escalate privileges by tampering with user roles.

Remediation

CIPPlanner has developed and distributed patches for this vulnerability, which are included in CIPAce version 10.0 and later. For customers not currently upgrading to CIPAce 10.0, software patches and instructions have been provided. Customers can contact CIPPlanner for more information.