CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25718
https://notcve.org/view.php?id=CVE-2023-25718
13 Feb 2023 — In ConnectWise Control through 22.9.10032 (formerly known as ScreenConnect), after an executable file is signed, additional instructions can be added without invalidating the signature, such as instructions that result in offering the end user a (different) attacker-controlled executable file. It is plausible that the end user may allow the download and execution of this file to proceed. There are ConnectWise Control configuration options that add mitigations. NOTE: this may overlap CVE-2023-25719. NOTE: th... • https://cybir.com/2022/cve/connectwise-control-dns-spoofing-poc • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-25719
https://notcve.org/view.php?id=CVE-2023-25719
13 Feb 2023 — ConnectWise Control before 22.9.10032 (formerly known as ScreenConnect) fails to validate user-supplied parameters such as the Bin/ConnectWiseControl.Client.exe h parameter. This results in reflected data and injection of malicious code into a downloaded executable. The executable can be used to execute malicious queries or as a denial-of-service vector. NOTE: this CVE Record is only about the parameters, such as the h parameter (this CVE Record is not about the separate issue of signed executable files tha... • https://cybir.com/2022/cve/hijacking-connectwise-control-and-ddos • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.5EPSS: 0%CPEs: 16EXPL: 0CVE-2021-36763
https://notcve.org/view.php?id=CVE-2021-36763
03 Aug 2021 — In CODESYS V3 web server before 3.5.17.10, files or directories are accessible to External Parties. En CODESYS V3 web server versiones anteriores a 3.5.17.10, los archivos o directorios son accesibles para las partes externas • https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=16803&token=0b8edf9276dc39ee52f43026c415c5b38085d90a&download= • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 9.8EPSS: 0%CPEs: 16EXPL: 0CVE-2021-33485
https://notcve.org/view.php?id=CVE-2021-33485
03 Aug 2021 — CODESYS Control Runtime system before 3.5.17.10 has a Heap-based Buffer Overflow. CODESYS Control Runtime system versiones anteriores a 3.5.17.10, presenta un Desbordamiento de Buffer en la región Heap de la memoria • https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=14805&token=f0b86f99bb302ddd4aadec483aed5f5d3fddbf1a&download= • CWE-787: Out-of-bounds Write •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 2CVE-2019-16515
https://notcve.org/view.php?id=CVE-2019-16515
23 Jan 2020 — An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. Certain HTTP security headers are not used. Se detectó un problema en ConnectWise Control (anteriormente se conoce como ScreenConnect) versión 19.3.25270.7185. Determinados encabezados de seguridad HTTP no son usados. • https://blog.huntresslabs.com/validating-the-bishop-fox-findings-in-connectwise-control-9155eec36a34 •
CVSS: 5.3EPSS: 30%CPEs: 2EXPL: 6CVE-2019-16516 – ConnectWise Control 19.2.24707 - Username Enumeration
https://notcve.org/view.php?id=CVE-2019-16516
23 Jan 2020 — An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is a user enumeration vulnerability, allowing an unauthenticated attacker to determine with certainty if an account exists for a given username. Se detectó un problema en ConnectWise Control (anteriormente se conoce como ScreenConnect) versión 19.3.25270.7185. Se presenta una vulnerabilidad de enumeración de usuarios, permitiendo a un atacante no autenticado determinar con certeza si una cuenta existe par... • https://packetstorm.news/files/id/165432 • CWE-203: Observable Discrepancy •
CVSS: 7.2EPSS: 5%CPEs: 1EXPL: 2CVE-2019-16514
https://notcve.org/view.php?id=CVE-2019-16514
23 Jan 2020 — An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. The server allows remote code execution. Administrative users could upload an unsigned extension ZIP file containing executable code that is subsequently executed by the server. Se detectó un problema en ConnectWise Control (anteriormente se conoce como ScreenConnect) versión 19.3.25270.7185. El servidor permite una ejecución de código remota. • https://blog.huntresslabs.com/validating-the-bishop-fox-findings-in-connectwise-control-9155eec36a34 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2019-16517
https://notcve.org/view.php?id=CVE-2019-16517
23 Jan 2020 — An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is a CORS misconfiguration, which reflected the Origin provided by incoming requests. This allowed JavaScript running on any domain to interact with the server APIs and perform administrative actions, without the victim's knowledge. Se detectó un problema en ConnectWise Control (anteriormente se conoce como ScreenConnect) versión 19.3.25270.7185. Se presenta una configuración inapropiada de CORS, que refl... • https://blog.huntresslabs.com/validating-the-bishop-fox-findings-in-connectwise-control-9155eec36a34 • CWE-346: Origin Validation Error •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 2CVE-2019-16512
https://notcve.org/view.php?id=CVE-2019-16512
23 Jan 2020 — An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is stored XSS in the Appearance modifier. Se detectó un problema en ConnectWise Control (anteriormente se conoce como ScreenConnect) versión 19.3.25270.7185. Se presenta una vulnerabilidad de tipo XSS almacenado en el modificador Appearance. • https://blog.huntresslabs.com/validating-the-bishop-fox-findings-in-connectwise-control-9155eec36a34 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2019-16513
https://notcve.org/view.php?id=CVE-2019-16513
23 Jan 2020 — An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. CSRF can be used to send API requests. Se detectó un problema en ConnectWise Control (anteriormente se conoce como ScreenConnect) versión 19.3.25270.7185. Una vulnerabilidad de tipo CSRF puede ser usada para enviar peticiones de la API. • https://blog.huntresslabs.com/validating-the-bishop-fox-findings-in-connectwise-control-9155eec36a34 • CWE-352: Cross-Site Request Forgery (CSRF) •