ConnectWise, a remote management platform has patched a cross-site scripting) vulnerability that could lead to remote code execution. Threat actors could exploit it to take complete control of the ConnectWise platform.
“After testing and validating several attack vectors, we have found that in the case of the Page. Title resource, the user input validation is not being taken care of, leaving it vulnerable to a ‘Stored XSS’ exploitation, The user’s input is inserted directly, as is, in between the tags on any page of the web app” reads the Researchers statement.
This included the landing page for visitors, the admin login page and any of the internal admin pages. Any code maliciously inject in between the tags with some manipulations is executed as any other code in the context of the web app as if it was authored by the official owner of the service.
The script executing from this context would give an attacker full control over any element of the web app, potentially altering elements on the page, as well as connection to the backend servers.
This can harm any potential visitor be used to abuse the hosting services itself allowing misuse of ConnectWise hosting, identity, and certificate to serve malicious code or gain full access to admin pages even after the trial period is over.
Researchers confirmed that they disclosed the vulnerability earlier this year, which ConnectWise promptly patched on August 8, 2022, in v22.6.