Vulnerabilities > Connectwise > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-02-01 | CVE-2023-47256 | Improper Authentication vulnerability in Connectwise Automate and Screenconnect ConnectWise ScreenConnect through 23.8.4 allows local users to connect to arbitrary relay servers via implicit trust of proxy settings | 5.5 |
| 2023-02-01 | CVE-2023-23126 | Improper Restriction of Rendered UI Layers or Frames vulnerability in Connectwise Automate 2022.11 Connectwise Automate 2022.11 is vulnerable to Clickjacking. | 6.1 |
| 2023-02-01 | CVE-2023-23127 | Missing Encryption of Sensitive Data vulnerability in Connectwise 22.8.10013.8329 In Connectwise Control 22.8.10013.8329, the login page does not implement HSTS headers therefore not enforcing HTTPS. | 5.3 |
| 2023-02-01 | CVE-2023-23128 | Unspecified vulnerability in Connectwise 22.8.10013.8329 Connectwise Control 22.8.10013.8329 is vulnerable to Cross Origin Resource Sharing (CORS). | 6.1 |
| 2023-02-01 | CVE-2023-23130 | Cleartext Transmission of Sensitive Information vulnerability in Connectwise Automate 2022.11 Connectwise Automate 2022.11 is vulnerable to Cleartext authentication. | 5.9 |
| 2022-09-28 | CVE-2022-36781 | Improper Restriction of Excessive Authentication Attempts vulnerability in Connectwise Screenconnect ConnectWise ScreenConnect versions 22.6 and below contained a flaw allowing potential brute force attacks on custom access tokens due to inadequate rate-limiting controls in the default configuration. | 5.3 |
| 2021-06-17 | CVE-2021-32582 | SQL Injection vulnerability in Connectwise Automate 2019.12/2020.7 An issue was discovered in ConnectWise Automate before 2021.5. | 5.0 |
| 2020-10-09 | CVE-2020-15838 | Improper Authentication vulnerability in Connectwise Automate 2019.12/2020.0/2020.7 The Agent Update System in ConnectWise Automate before 2020.8 allows Privilege Escalation because the _LTUPDATE folder has weak permissions. | 6.5 |
| 2020-07-07 | CVE-2020-15008 | SQL Injection vulnerability in Connectwise Automate 2019.12 A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12. | 6.0 |
| 2020-06-15 | CVE-2020-14159 | SQL Injection vulnerability in Connectwise Automate API By using an Automate API in ConnectWise Automate before 2020.5.178, a remote authenticated user could execute commands and/or modifications within an individual Automate instance by triggering an SQL injection vulnerability in /LabTech/agent.aspx. | 6.5 |