Vulnerability: CVE-2024-50620
At CIPPlanner, the security of customer installations of CIPAceTM software and data is our top priority. Therefore, we would like to inform you that CIPPlanner has recently identified a security incident and taken measures to remedy the situation; an enterprise-wide resolution initiative, identified and tracked as “S10001”, in March 2025.
By: Kenneth Price
Published: December 24, 2025, 9:19 AM EST
Last Modified: December 24, 2025, 9:19 AM EST
Situational Summary
The incident involved an unauthorized party compromising an inactive third-party vendor user account at one of our customers. An independent investigation concluded by both the CIPPlanner cybersecurity team and the client’s IT team found no evidence of significant operational impact or security breach. We attribute this desired outcome to: CIPPlanner’s established security protocols; implementation of daily operational best practices; CIPAceTM maintenance; and the diligence of our SuperAdmin users.
In according with the “CIPPlanner Security Incident Response Operating Procedure”, the cybersecurity team identified and remedied the Common Vulnerability and Exposures (CVE) discussed below.
Vulnerability Details
Unrestricted Upload of File with Dangerous Type vulnerabilities in the rich text editor and document managing components in CIPAce product of CIPPlanner Corporation before version 9.17. An authorized user can upload executable files when inserting images in the rich text editor, and upload executable files when uploading files on the document management page. Those executables can be executed if they are stored in the application directory or if the storage directory has execute permissions.
CVE Registration
In 2024, CIPPlanner reported to U.S. Government funded MITRE four (4) information security vulnerabilities to MITRE; the latter identifying the vulnerability as CVE-2024-50620. Registration metadata are as follows:
Type: Incorrect Access Control
CVSS Version: 4.0
Metric Score: 6
Vector: AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/SC:N/VI:H/SI:N/VA:H/SA:N/
CVE Resolution
The status of CIPPlanner resolution of CVE-2024-50620 is “Remedied”. Related activities are:
- CIPPlanner developed and distributed software patches to its valued customers. These resolutions are now embedded in later versions of the CIPAceTM codebase.
- CIPPlanner retained New Jersey based cybersecurity consultant, Entersoft US LLC, to execute independent SAST, DAST, and Penetration Testing services on CIPAceTM full stack. Entersoft has performed independent services and certified CIPAceTM software. The certification protocols required CIPPlanner to remedy security vulnerabilities that are now reflected in later version codebases.
- Resolution of this software vulnerability came in the form of preventing the uploading of dangerous executables by setting a whitelist of the types of files allowed to be uploaded. By default, the following files types are allowed for uploading: “7z;avi; bmp; csv; doc; docx; dotm; dotx; dwg; gif; jpeg; jpg; mov; mp3; mp4; mpp; msg; pdf; png; ppt; pptx;txt; wav; wmv; xls; xlsx; zip;”. The file types in the whitelist can be adjusted according to actual needs while ensuring safety.
Subsequently, CIPPlanner’s Product and Implementation teams executed the above software resolutions by:
- Merging needed software remedies in new versions of CIPAceTM v10.x and beyond.
- Distributing software patches and instructions to customers where no CIPAceTM upgrade is underway.
- Code-merging software remedies into CIPAceTM as a part of ongoing software upgrade projects.
If you have any questions or concerns, please do not hesitate to contact us.
FOOTNOTE:
The mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. The CVE program is maintained by the National Cybersecurity FFRDC (Federal Funded Research and Development Center), which is funded by the US Department of Homeland Security. For more information, please visit:
- CVE Program Mission – CVE Website
- CVE terminology – Glossary | CVE
- MITRE CVE Request form – CVE – Common Vulnerabilities and Exposures (CVE)
- CVSS – Common Vulnerability Scoring System Version 4.0
