// For flags

CVE-2020-15008

 

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12. A SQL Injection in the probe implementation to save data to a custom table exists due to inadequate server side validation. As the code creates dynamic SQL for the insert statement and utilizes the user supplied table name with little validation, the table name can be modified to allow arbitrary update commands to be run. Usage of other SQL injection techniques such as timing attacks, it is possible to perform full data extraction as well. Patched in 2020.7 and in a hotfix for 2019.12.

Se presenta un SQLi en el código de sonda de todas las versiones de Connectwise Automate anteriores a 2020.7 o 2019.12. Se presenta una inyección SQL en la implementación de la sonda para guardar datos en una tabla personalizada debido a una comprobación inadecuada del lado del servidor. A medida que el código crea un SQL dinámico para la instrucción de inserción y utiliza el nombre de la tabla suministrado por el usuario con poca comprobación, el nombre de la tabla puede ser modificado para permitir que comandos de actualización arbitrarios se ejecuten. El uso de otras técnicas de inyección SQL, como los ataques de sincronización, son posibles para realizar una extracción de datos completa. Parcheado en versión 2020.7 y en un hotfix para 2019.12

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-06-24 CVE Reserved
  • 2020-07-07 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
References (1)
URL Tag Source
https://slagle.tech/2020/07/06/cve-2020-15008 Not Applicable
URL Date SRC
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Connectwise
Search vendor "Connectwise"
 Connectwise Automate
Search vendor "Connectwise" for product "Connectwise Automate"
 < 2020.7
Search vendor "Connectwise" for product "Connectwise Automate" and version " < 2020.7"
-
Affected
Connectwise
Search vendor "Connectwise"
 Connectwise Automate
Search vendor "Connectwise" for product "Connectwise Automate"
 2019.12
Search vendor "Connectwise" for product "Connectwise Automate" and version "2019.12"
-
Affected