Описание
An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is a CORS misconfiguration, which reflected the Origin provided by incoming requests. This allowed JavaScript running on any domain to interact with the server APIs and perform administrative actions, without the victim's knowledge.
Ссылки
- https://blog.huntresslabs.com/validating-the-bishop-fox-findings-in-connectwise-control-9155eec36a34ExploitThird Party Advisory
- Third Party Advisory
- ExploitThird Party Advisory
- Third Party Advisory
- Third Party Advisory
- https://blog.huntresslabs.com/validating-the-bishop-fox-findings-in-connectwise-control-9155eec36a34ExploitThird Party Advisory
- Third Party Advisory
- ExploitThird Party Advisory
- Third Party Advisory
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1
cpe:2.3:a:connectwise:control:19.3.25270.7185:*:*:*:*:*:*:*
EPSS
Процентиль: 45%
0.00224
Низкий
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
CWE-346
Связанные уязвимости
github
больше 3 лет назад
An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is a CORS misconfiguration, which reflected the Origin provided by incoming requests. This allowed JavaScript running on any domain to interact with the server APIs and perform administrative actions, without the victim's knowledge.
EPSS
Процентиль: 45%
0.00224
Низкий
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
CWE-346