"ConnectWise Fixes XSS Vulnerability That Could Lead to Remote Code Execution"

Remote monitoring and management (RMM) platform ConnectWise has recently patched a cross-site scripting (XSS) vulnerability that could lead to remote code execution (RCE).  Security researchers at Guardio Labs noted that threat actors could exploit it to take complete control of the ConnectWise platform.  The researchers noted that in the case of the Page.Title resource, the [user input validation], is not being taken care of, leaving it vulnerable to a "Stored XSS" exploitation.  The researchers stated that the user's input is inserted directly, as is, in between the tags on any page of the web app.  The researchers added that this included the landing page for visitors (where they could enter their support code and potentially install a remote access Trojan), the admin login page, and any of the internal admin pages.  The researchers stated that any code they maliciously inject in between the tags with some manipulations is executed as any other code in the context of the web app as if it was authored by the official owner of the service.  The researchers explained that a script executing from this context would give an attacker full control over any element of the web app, potentially altering elements on the page, as well as connection to the backend servers.  Guardio Labs confirmed it disclosed the vulnerability earlier this year, which ConnectWise promptly patched on August 8, 2022, in v22.6.

Infosecurity reports: "ConnectWise Fixes XSS Vulnerability That Could Lead to Remote Code Execution"