CVE-2020-15008

Name of the Vulnerable Software and Affected Versions Connectwise Automate versions prior to 2020.7 Connectwise Automate versions prior to 2019.12

Description A SQL Injection issue exists in the probe code due to inadequate server-side validation, allowing arbitrary update commands to be run by modifying the table name. The code creates dynamic SQL for the insert statement and utilizes the user-supplied table name with little validation. Other SQL injection techniques, such as timing attacks, can be used to perform full data extraction.

Recommendations For versions prior to 2020.7, update to version 2020.7 or later. For versions prior to 2019.12, apply the hotfix for 2019.12. As a temporary workaround, consider restricting access to the probe implementation to minimize the risk of exploitation.