CVE-2023-25719

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-25719
ConnectWise Control before 22.9.10032 (formerly known as ScreenConnect) fails to validate user-supplied parameters such as the Bin/ConnectWiseControl.Client.exe h parameter. This results in reflected data and injection of malicious code into a downloaded executable. The executable can be used to execute malicious queries or as a denial-of-service vector. NOTE: this CVE Record is only about the parameters, such as the h parameter (this CVE Record is not about the separate issue of signed executable files that are supposed to have unique configurations across customers' installations).

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://cybir.com/2022/cve/hijacking-connectwise-control-and-ddos/ Exploit Third Party Advisory
https://www.connectwise.com Product
https://www.connectwise.com/blog/cybersecurity/the-importance-of-responsible-security-disclosures
https://www.huntress.com/blog/clearing-the-air-overblown-claims-of-vulnerabilities-exploits-severity
https://cybir.com/2022/cve/hijacking-connectwise-control-and-ddos/ Exploit Third Party Advisory
https://www.connectwise.com Product
https://www.connectwise.com/blog/cybersecurity/the-importance-of-responsible-security-disclosures
https://www.huntress.com/blog/clearing-the-air-overblown-claims-of-vulnerabilities-exploits-severity
Configurations

Configuration 1 (hide)

cpe:2.3:a:connectwise:control:*:*:*:*:*:*:*:*
History

21 Nov 2024, 07:50

Type Values Removed Values Added
Summary
  • (es) ConnectWise Control anterior a 22.9.10032 (anteriormente conocido como ScreenConnect) no puede validar los parámetros proporcionados por el usuario, como el parámetro h de Bin/ConnectWiseControl.Client.exe. Esto da como resultado datos reflejados e inyección de código malicioso en un ejecutable descargado. El ejecutable se puede utilizar para ejecutar consultas maliciosas o como vector de denegación de servicio. NOTA: este registro CVE trata solo de los parámetros, como el parámetro h (este registro CVE no trata sobre la edición separada de archivos ejecutables firmados que se supone que tienen configuraciones únicas en las instalaciones de los clientes).
References () https://cybir.com/2022/cve/hijacking-connectwise-control-and-ddos/ - Exploit, Third Party Advisory () https://cybir.com/2022/cve/hijacking-connectwise-control-and-ddos/ - Exploit, Third Party Advisory
References () https://www.connectwise.com - Product () https://www.connectwise.com - Product
References () https://www.connectwise.com/blog/cybersecurity/the-importance-of-responsible-security-disclosures - () https://www.connectwise.com/blog/cybersecurity/the-importance-of-responsible-security-disclosures -
References () https://www.huntress.com/blog/clearing-the-air-overblown-claims-of-vulnerabilities-exploits-severity - () https://www.huntress.com/blog/clearing-the-air-overblown-claims-of-vulnerabilities-exploits-severity -
Information

Published : 2023-02-13 20:15

Updated : 2024-11-21 07:50

NVD link : CVE-2023-25719

Mitre link : CVE-2023-25719

CVE.ORG link : CVE-2023-25719

JSON object : View

Products Affected

connectwise

  • control
CWE
CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024