CVE-2020-11593

HIGH

CIPPlanner CIPAce < 9.1 - Unauthenticated HTML Injection via Email Functionality

Title source: llm

Description

An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an HTTP POST request with injected HTML data that is later leveraged to send emails from a customer trusted email address.

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_misc

https://www.criticalstart.com/vulnerabilities-discovered-in-cipace-enterprise-platform/

Scores

CVSS v3 7.5

EPSS 0.0099

EPSS Percentile 58.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-74

Status published

Products (1)

cipplanner/cipace < 9.1

Published Apr 06, 2020

Tracked Since Feb 18, 2026