PT-2017-12204 · Connectwise · Connectwise Manage
Published
2017-07-31
·
Updated
2017-08-04
·
CVE-2017-11727
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
ConnectWise Manage version 2017.5
Description
The issue allows arbitrary client-side JavaScript code execution on victims who click on a crafted link. This involves a ContactCommon field in the services/system io/actionprocessor/Contact.rails component.
Recommendations
For ConnectWise Manage version 2017.5, consider disabling the Contact.rails component temporarily until a patch is available to prevent arbitrary JavaScript code execution. Restrict access to the ContactCommon field to minimize the risk of exploitation.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Connectwise Manage