81 matches found
CVE-2023-23127
In Connectwise Control 22.8.10013.8329, the login page does not implement HSTS headers therefore not enforcing HTTPS. NOTE: the vendor's position is that, by design, this is controlled by a configuration option in which a customer can choose to use HTTP rather than HTTPS during troubleshooting...
ConnectWise Control 安全漏洞
ConnectWise Control is a self-hosted remote desktop software application from ConnectWise USA. A security vulnerability exists in ConnectWise Control version 22.8.10013.8329, which stems from vulnerability to cross-origin resource sharing CORS attacks...
CVE-2023-23128
ConnectWise Control 22.8.10013.8329 is cited in multiple sources (NVD, Red Hat CVE, CVE listings) as vulnerable to a Cross Origin Resource Sharing (CORS) issue due to Access-Control-Allow-Origin wildcarding on two endpoints. The vendor states this behavior is required for functionality and poses ...
PT-2023-18848 · Connectwise · Connectwise Control
Name of the Vulnerable Software and Affected Versions: Connectwise Control version 22.8.10013.8329 Description: The login page of Connectwise Control does not implement HSTS headers, which results in not enforcing HTTPS. The vendor's position is that this behavior is controlled by a configuration...
CVE-2023-23128
Connectwise Control 22.8.10013.8329 is vulnerable to Cross Origin Resource Sharing CORS. The vendor's position is that two endpoints have Access-Control-Allow-Origin wildcarding to support product functionality, and that there is no risk from this behavior. The vulnerability report is thus not...
CVE-2023-23128
Connectwise Control 22.8.10013.8329 is vulnerable to Cross Origin Resource Sharing CORS. The vendor's position is that two endpoints have Access-Control-Allow-Origin wildcarding to support product functionality, and that there is no risk from this behavior. The vulnerability report is thus not...
CVE-2023-23127
In Connectwise Control 22.8.10013.8329, the login page does not implement HSTS headers therefore not enforcing HTTPS. NOTE: the vendor's position is that, by design, this is controlled by a configuration option in which a customer can choose to use HTTP rather than HTTPS during troubleshooting...
U.S. Federal Agencies Fall Victim to Cyber Attack Utilizing Legitimate RMM Software
At least two federal agencies in the U.S. fell victim to a "widespread cyber campaign" that involved the use of legitimate remote monitoring and management RMM software to perpetuate a phishing scam. "Specifically, cyber criminal actors sent phishing emails that led to the download of legitimate...
ConnectWise Control 19.2.24707 Username Enumeration
Exploit Title: ConnectWise Control 19.2.24707 - Username Enumeration Date: 17/12/2021 Exploit Author: Luca Cuzzolin aka czz78 Vendor Homepage: https://www.connectwise.com/ Version: vulnerable = 19.2.24707 CVE : CVE-2019-16516 https://github.com/czz/ScreenConnect-UserEnum from multiprocessing impo...
ConnectWise Control 19.2.24707 - Username Enumeration Exploit
Exploit Title: ConnectWise Control 19.2.24707 - Username Enumeration Exploit Author: Luca Cuzzolin aka czz78 Vendor Homepage: https://www.connectwise.com/ Version: vulnerable = 19.2.24707 CVE : CVE-2019-16516 https://github.com/czz/ScreenConnect-UserEnum from multiprocessing import Process, Queue...
ConnectWise Control 19.2.24707 - Username Enumeration
Exploit Title: ConnectWise Control 19.2.24707 - Username Enumeration Date: 17/12/2021 Exploit Author: Luca Cuzzolin aka czz78 Vendor Homepage: https://www.connectwise.com/ Version: vulnerable = 19.2.24707 CVE : CVE-2019-16516 https://github.com/czz/ScreenConnect-UserEnum from multiprocessing impo...
Iranian Hackers Utilize ScreenConnect to Spy On UAE, Kuwait Government Agencies
UAE and Kuwait government agencies are targets of a new cyberespionage campaign potentially carried out by Iranian threat actors, according to new research. Attributing the operation to be the work of Static Kitten aka MERCURY or MuddyWater, Anomali said the "objective of this activity is to...
CVE-2019-16513
An issue was discovered in ConnectWise Control formerly known as ScreenConnect 19.3.25270.7185. CSRF can be used to send API requests...
CVE-2019-16516
An issue was discovered in ConnectWise Control formerly known as ScreenConnect 19.3.25270.7185. There is a user enumeration vulnerability, allowing an unauthenticated attacker to determine with certainty if an account exists for a given username...
CVE-2019-16515
An issue was discovered in ConnectWise Control formerly known as ScreenConnect 19.3.25270.7185. Certain HTTP security headers are not used...
CVE-2019-16512
An issue was discovered in ConnectWise Control formerly known as ScreenConnect 19.3.25270.7185. There is stored XSS in the Appearance modifier...
CVE-2019-16514
An issue was discovered in ConnectWise Control formerly known as ScreenConnect 19.3.25270.7185. The server allows remote code execution. Administrative users could upload an unsigned extension ZIP file containing executable code that is subsequently executed by the server...
CVE-2019-16515
An issue was discovered in ConnectWise Control formerly known as ScreenConnect 19.3.25270.7185. Certain HTTP security headers are not used...
CVE-2019-16517
An issue was discovered in ConnectWise Control formerly known as ScreenConnect 19.3.25270.7185. There is a CORS misconfiguration, which reflected the Origin provided by incoming requests. This allowed JavaScript running on any domain to interact with the server APIs and perform administrative...
CVE-2019-16516
An issue was discovered in ConnectWise Control formerly known as ScreenConnect 19.3.25270.7185. There is a user enumeration vulnerability, allowing an unauthenticated attacker to determine with certainty if an account exists for a given username...