CVE-2020-15008
https://notcve.org/view.php?id=CVE-2020-15008
A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12. A SQL Injection in the probe implementation to save data to a custom table exists due to inadequate server side validation. As the code creates dynamic SQL for the insert statement and utilizes the user supplied table name with little validation, the table name can be modified to allow arbitrary update commands to be run. Usage of other SQL injection techniques such as timing attacks, it is possible to perform full data extraction as well. Patched in 2020.7 and in a hotfix for 2019.12. • https://slagle.tech/2020/07/06/cve-2020-15008 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2020-14159
https://notcve.org/view.php?id=CVE-2020-14159
By using an Automate API in ConnectWise Automate before 2020.5.178, a remote authenticated user could execute commands and/or modifications within an individual Automate instance by triggering an SQL injection vulnerability in /LabTech/agent.aspx. This affects versions before 2019.12.337, 2020 before 2020.1.53, 2020.2 before 2020.2.85, 2020.3 before 2020.3.114, 2020.4 before 2020.4.143, and 2020.5 before 2020.5.178. Al usar una API de Automate en ConnectWise Automate versiones anteriores a 2020.5.178, un usuario autenticado remoto podría ejecutar comandos y/o modificaciones dentro de una instancia Automate individual activando una vulnerabilidad de inyección SQL en /LabTech/agent.aspx. Esto afecta a las versiones anteriores a 2019.12.337, 2020 anteriores a 2020.1.53, 2020.2 anteriores a 2020.2.85, 2020.3 anteriores a 2020.3.114, 2020.4 anteriores a 2020.4.143, y 2020.5 anteriores a 2020.5.178 • https://www.connectwise.com/company/trust#tab1 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2019-16515
https://notcve.org/view.php?id=CVE-2019-16515
An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. Certain HTTP security headers are not used. Se detectó un problema en ConnectWise Control (anteriormente se conoce como ScreenConnect) versión 19.3.25270.7185. Determinados encabezados de seguridad HTTP no son usados. • https://blog.huntresslabs.com/validating-the-bishop-fox-findings-in-connectwise-control-9155eec36a34 https://know.bishopfox.com/advisories https://know.bishopfox.com/advisories/connectwise-control https://wpvulndb.com/vulnerabilities/10013 https://www.crn.com/news/managed-services/connectwise-control-msp-security-vulnerabilities-are-severe-bishop-fox •
CVE-2019-16516 – ConnectWise Control 19.2.24707 - Username Enumeration
https://notcve.org/view.php?id=CVE-2019-16516
An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is a user enumeration vulnerability, allowing an unauthenticated attacker to determine with certainty if an account exists for a given username. Se detectó un problema en ConnectWise Control (anteriormente se conoce como ScreenConnect) versión 19.3.25270.7185. Se presenta una vulnerabilidad de enumeración de usuarios, permitiendo a un atacante no autenticado determinar con certeza si una cuenta existe para un nombre de usuario dado. ConnectWise Control version 19.2.24707 suffers from a username enumeration vulnerability. • https://www.exploit-db.com/exploits/50618 http://packetstormsecurity.com/files/165432/ConnectWise-Control-19.2.24707-Username-Enumeration.html https://blog.huntresslabs.com/validating-the-bishop-fox-findings-in-connectwise-control-9155eec36a34 https://know.bishopfox.com/advisories https://know.bishopfox.com/advisories/connectwise-control https://www.crn.com/news/managed-services/connectwise-control-msp-security-vulnerabilities-are-severe-bishop-fox https://www.crn.com/slide-shows/managed-services/connectwise-control-attack • CWE-203: Observable Discrepancy •
CVE-2019-16514
https://notcve.org/view.php?id=CVE-2019-16514
An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. The server allows remote code execution. Administrative users could upload an unsigned extension ZIP file containing executable code that is subsequently executed by the server. Se detectó un problema en ConnectWise Control (anteriormente se conoce como ScreenConnect) versión 19.3.25270.7185. El servidor permite una ejecución de código remota. • https://blog.huntresslabs.com/validating-the-bishop-fox-findings-in-connectwise-control-9155eec36a34 https://know.bishopfox.com/advisories https://know.bishopfox.com/advisories/connectwise-control https://www.crn.com/news/managed-services/connectwise-control-msp-security-vulnerabilities-are-severe-bishop-fox https://www.crn.com/slide-shows/managed-services/connectwise-control-attack-chain-exploit-20-questions-for-security-researcher-bishop-fox • CWE-434: Unrestricted Upload of File with Dangerous Type •