Vulnerability Details CVE-2019-16517
An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is a CORS misconfiguration, which reflected the Origin provided by incoming requests. This allowed JavaScript running on any domain to interact with the server APIs and perform administrative actions, without the victim's knowledge.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 45.1%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- https://blog.huntresslabs.com/validating-the-bishop-fox-findings-in-connectwise-control-9155eec36a34
- https://know.bishopfox.com/advisories
- https://know.bishopfox.com/advisories/connectwise-control
- https://www.crn.com/news/managed-services/connectwise-control-msp-security-vulnerabilities-are-severe-bishop-fox
- https://www.crn.com/slide-shows/managed-services/connectwise-control-attack-chain-exploit-20-questions-for-security-researcher-bishop-fox
- https://blog.huntresslabs.com/validating-the-bishop-fox-findings-in-connectwise-control-9155eec36a34
- https://know.bishopfox.com/advisories
- https://know.bishopfox.com/advisories/connectwise-control
- https://www.crn.com/news/managed-services/connectwise-control-msp-security-vulnerabilities-are-severe-bishop-fox
- https://www.crn.com/slide-shows/managed-services/connectwise-control-attack-chain-exploit-20-questions-for-security-researcher-bishop-fox
Products affected by CVE-2019-16517
-
cpe:2.3:a:connectwise:control:19.3.25270.7185