CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36781 – ConnectWise - ScreenConnect Session Code Bypass
https://notcve.org/view.php?id=CVE-2022-36781
28 Sep 2022 — ConnectWise ScreenConnect versions 22.6 and below contained a flaw allowing potential brute force attacks on custom access tokens due to inadequate rate-limiting controls in the default configuration. Attackers could exploit this vulnerability to gain unauthorized access by repeatedly attempting access code combinations. ConnectWise has addressed this issue in later versions by implementing rate-limiting controls as a preventive measure against brute force attacks. WiseConnect - Una Omisión de Código de Ces... • https://www.gov.il/en/Departments/faq/cve_advisories • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-35066
https://notcve.org/view.php?id=CVE-2021-35066
21 Jun 2021 — An XXE vulnerability exists in ConnectWise Automate before 2021.0.6.132. Se presenta una vulnerabilidad de tipo XXE en ConnectWise Automate versiones anteriores a 2021.0.6.132 • https://home.connectwise.com/securityBulletin/60cc8c63508a120001cb6e8d • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32582
https://notcve.org/view.php?id=CVE-2021-32582
17 Jun 2021 — An issue was discovered in ConnectWise Automate before 2021.5. A blind SQL injection vulnerability exists in core agent inventory communication that can enable an attacker to extract database information or administrative credentials from an instance via crafted monitor status responses. Se ha detectado un problema en ConnectWise Automate versiones anteriores a 2021.5. Se presenta una vulnerabilidad de inyección SQL ciega en la comunicación del inventario del agente principal que puede permitir a un atacant... • https://home.connectwise.com/securityBulletin/609a9dd75cb8450001e85369 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15838
https://notcve.org/view.php?id=CVE-2020-15838
09 Oct 2020 — The Agent Update System in ConnectWise Automate before 2020.8 allows Privilege Escalation because the _LTUPDATE folder has weak permissions. El Agent Update System en ConnectWise Automate versiones anteriores a 2020.8, permite una Escalada de Privilegios porque la carpeta _LTUPDATE presenta permisos débiles • https://dbeta.com/2020/10/05/PrivilegeEscalationInAutomateAgent • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-15027
https://notcve.org/view.php?id=CVE-2020-15027
16 Jul 2020 — ConnectWise Automate through 2020.x has insufficient validation on certain authentication paths, allowing authentication bypass via a series of attempts. This was patched in 2020.7 and in a hotfix for 2019.12. ConnectWise Automate versiones hasta 2020.x, presenta una comprobación insuficiente en determinadas rutas de autenticación, permitiendo una omisión de autenticación por medio de una serie de intentos. Esto fue parcheado en versión 2020.7 y en una revisión para la versión 2019.12 • https://slagle.tech/2020/07/06/cve-2020-15027 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-15008
https://notcve.org/view.php?id=CVE-2020-15008
07 Jul 2020 — A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12. A SQL Injection in the probe implementation to save data to a custom table exists due to inadequate server side validation. As the code creates dynamic SQL for the insert statement and utilizes the user supplied table name with little validation, the table name can be modified to allow arbitrary update commands to be run. Usage of other SQL injection techniques such as timing attacks, it is possible to perform ful... • https://slagle.tech/2020/07/06/cve-2020-15008 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2020-14159
https://notcve.org/view.php?id=CVE-2020-14159
15 Jun 2020 — By using an Automate API in ConnectWise Automate before 2020.5.178, a remote authenticated user could execute commands and/or modifications within an individual Automate instance by triggering an SQL injection vulnerability in /LabTech/agent.aspx. This affects versions before 2019.12.337, 2020 before 2020.1.53, 2020.2 before 2020.2.85, 2020.3 before 2020.3.114, 2020.4 before 2020.4.143, and 2020.5 before 2020.5.178. Al usar una API de Automate en ConnectWise Automate versiones anteriores a 2020.5.178, un us... • https://www.connectwise.com/company/trust#tab1 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 2CVE-2019-16515
https://notcve.org/view.php?id=CVE-2019-16515
23 Jan 2020 — An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. Certain HTTP security headers are not used. Se detectó un problema en ConnectWise Control (anteriormente se conoce como ScreenConnect) versión 19.3.25270.7185. Determinados encabezados de seguridad HTTP no son usados. • https://blog.huntresslabs.com/validating-the-bishop-fox-findings-in-connectwise-control-9155eec36a34 •
CVSS: 5.3EPSS: 30%CPEs: 2EXPL: 6CVE-2019-16516 – ConnectWise Control 19.2.24707 - Username Enumeration
https://notcve.org/view.php?id=CVE-2019-16516
23 Jan 2020 — An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is a user enumeration vulnerability, allowing an unauthenticated attacker to determine with certainty if an account exists for a given username. Se detectó un problema en ConnectWise Control (anteriormente se conoce como ScreenConnect) versión 19.3.25270.7185. Se presenta una vulnerabilidad de enumeración de usuarios, permitiendo a un atacante no autenticado determinar con certeza si una cuenta existe par... • https://packetstorm.news/files/id/165432 • CWE-203: Observable Discrepancy •
CVSS: 7.2EPSS: 5%CPEs: 1EXPL: 2CVE-2019-16514
https://notcve.org/view.php?id=CVE-2019-16514
23 Jan 2020 — An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. The server allows remote code execution. Administrative users could upload an unsigned extension ZIP file containing executable code that is subsequently executed by the server. Se detectó un problema en ConnectWise Control (anteriormente se conoce como ScreenConnect) versión 19.3.25270.7185. El servidor permite una ejecución de código remota. • https://blog.huntresslabs.com/validating-the-bishop-fox-findings-in-connectwise-control-9155eec36a34 • CWE-434: Unrestricted Upload of File with Dangerous Type •