CVE-2019-16517
published 2020-01-23CVE-2019-16517: An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is a CORS misconfiguration, which reflected the Origin…
PriorityP345critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.33%
67.4th percentile
An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is a CORS misconfiguration, which reflected the Origin provided by incoming requests. This allowed JavaScript running on any domain to interact with the server APIs and perform administrative actions, without the victim's knowledge.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| connectwise | control | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Huntress
Validating the Bishop Fox Findings in ConnectWise Control | Huntress
blogs_huntress·2020-01-22·CVSS 4.8
[MEDIUM] Validating the Bishop Fox Findings in ConnectWise Control | Huntress
In computer security, responsible disclosure is a vulnerability disclosure model in which an issue is publicly disclosed only after a period of time that allows for the affected party to patch/resolve the problem in a reasonable amount of time. For most bugs that are not being actively exploited, this period usually lasts 90–120 days. After this grace period, the details of the findings are published in order to educate the masses on the risks posed should those affected decide not to patch.
Security researchers at Bishop Fox uncovered eight vulnerabilities in ConnectWise Control that ranged from low to high severity with one deemed critical by the security company. Today marks the end of the embargo for these vulnerabilities and Huntress was contacted to:
Validate Bishop Fox’s (top notc
Huntress
Validating the Bishop Fox Findings in ConnectWise Control | Huntress
blogs_huntress·CVSS 4.8
[MEDIUM] Validating the Bishop Fox Findings in ConnectWise Control | Huntress
In computer security, responsible disclosure is a vulnerability disclosure model in which an issue is publicly disclosed only after a period of time that allows for the affected party to patch/resolve the problem in a reasonable amount of time. For most bugs that are not being actively exploited, this period usually lasts 90–120 days. After this grace period, the details of the findings are published in order to educate the masses on the risks posed should those affected decide not to patch.
Security researchers at Bishop Fox uncovered eight vulnerabilities in ConnectWise Control that ranged from low to high severity with one deemed critical by the security company. Today marks the end of the embargo for these vulnerabilities and Huntress was contacted to:
- Validate Bishop Fox’s (top no
https://blog.huntresslabs.com/validating-the-bishop-fox-findings-in-connectwise-control-9155eec36a34https://know.bishopfox.com/advisorieshttps://know.bishopfox.com/advisories/connectwise-controlhttps://www.crn.com/news/managed-services/connectwise-control-msp-security-vulnerabilities-are-severe-bishop-foxhttps://www.crn.com/slide-shows/managed-services/connectwise-control-attack-chain-exploit-20-questions-for-security-researcher-bishop-foxhttps://blog.huntresslabs.com/validating-the-bishop-fox-findings-in-connectwise-control-9155eec36a34https://know.bishopfox.com/advisorieshttps://know.bishopfox.com/advisories/connectwise-controlhttps://www.crn.com/news/managed-services/connectwise-control-msp-security-vulnerabilities-are-severe-bishop-foxhttps://www.crn.com/slide-shows/managed-services/connectwise-control-attack-chain-exploit-20-questions-for-security-researcher-bishop-fox
2020-01-23
Published