CVE-2019-16517
N/A
N/A
Summary
An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is a CORS misconfiguration, which reflected the Origin provided by incoming requests. This allowed JavaScript running on any domain to interact with the server APIs and perform administrative actions, without the victim's knowledge.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- https://know.bishopfox.com/advisories
- https://know.bishopfox.com/advisories/connectwise-control
- https://blog.huntresslabs.com/validating-the-bishop-fox-findings-in-connectwise-control-9155eec36a34
- https://www.crn.com/news/managed-services/connectwise-control-msp-security-vulnerabilities-are-severe-bishop-fox
- https://www.crn.com/slide-shows/managed-services/connectwise-control-attack-chain-exploit-20-questions-for-security-researcher-bishop-fox
References
- https://know.bishopfox.com/advisories
- https://know.bishopfox.com/advisories/connectwise-control
- https://blog.huntresslabs.com/validating-the-bishop-fox-findings-in-connectwise-control-9155eec36a34
- https://www.crn.com/news/managed-services/connectwise-control-msp-security-vulnerabilities-are-severe-bishop-fox
- https://www.crn.com/slide-shows/managed-services/connectwise-control-attack-chain-exploit-20-questions-for-security-researcher-bishop-fox
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.