CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2019-16517
https://notcve.org/view.php?id=CVE-2019-16517
23 Jan 2020 — An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is a CORS misconfiguration, which reflected the Origin provided by incoming requests. This allowed JavaScript running on any domain to interact with the server APIs and perform administrative actions, without the victim's knowledge. Se detectó un problema en ConnectWise Control (anteriormente se conoce como ScreenConnect) versión 19.3.25270.7185. Se presenta una configuración inapropiada de CORS, que refl... • https://blog.huntresslabs.com/validating-the-bishop-fox-findings-in-connectwise-control-9155eec36a34 • CWE-346: Origin Validation Error •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 2CVE-2019-16512
https://notcve.org/view.php?id=CVE-2019-16512
23 Jan 2020 — An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is stored XSS in the Appearance modifier. Se detectó un problema en ConnectWise Control (anteriormente se conoce como ScreenConnect) versión 19.3.25270.7185. Se presenta una vulnerabilidad de tipo XSS almacenado en el modificador Appearance. • https://blog.huntresslabs.com/validating-the-bishop-fox-findings-in-connectwise-control-9155eec36a34 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2019-16513
https://notcve.org/view.php?id=CVE-2019-16513
23 Jan 2020 — An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. CSRF can be used to send API requests. Se detectó un problema en ConnectWise Control (anteriormente se conoce como ScreenConnect) versión 19.3.25270.7185. Una vulnerabilidad de tipo CSRF puede ser usada para enviar peticiones de la API. • https://blog.huntresslabs.com/validating-the-bishop-fox-findings-in-connectwise-control-9155eec36a34 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 44%CPEs: 1EXPL: 1CVE-2017-18362 – Kaseya VSA SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2017-18362
05 Feb 2019 — ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database. In February 2019, attackers have actively exploited this in the wild to download and execute ransomware payloads on all endpoints managed by the VSA server. If the ManagedIT.asmx page is available via the Kaseya VSA web interface, anyone with access to the page is able to run arbitrary SQL queries, both read and write, without authentica... • http://archive.today/rdkeQ • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2017-11726
https://notcve.org/view.php?id=CVE-2017-11726
31 Jul 2017 — services/system_io/actionprocessor/System.rails in ConnectWise Manage 2017.5 is vulnerable to Cross-Site Request Forgery (CSRF), as demonstrated by changing an e-mail address setting. services/system_io/actionprocessor/System.rails en ConnectWise Manage 2017.5 es vulnerable a Cross-Site Request Forgery (CSRF), tal y como se demuestra cuando se cambia la configuración de una dirección de correo. • https://becomepentester.blogspot.in/2017/07/ConnectWise-Manage-CSRF-CVE-2017-11726.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-11727
https://notcve.org/view.php?id=CVE-2017-11727
31 Jul 2017 — services/system_io/actionprocessor/Contact.rails in ConnectWise Manage 2017.5 allows arbitrary client-side JavaScript code execution (involving a ContactCommon field) on victims who click on a crafted link, aka XSS. services/system_io/actionprocessor/Contact.rails en ConnectWise Manage 2017.5 permite la ejecución de código JavaScript arbitrario del lado del cliente (involucrando un campo ContactCommon) sobre las víctimas que pulsen en un enlace manipulado. Esto también se conoce como Cross-Site Scripting (X... • https://becomepentester.blogspot.in/2017/07/ConnectWise-Manage-XSS-CVE-2017-11727.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •