CORS Misconfiguration in ConnectWise Control Allows Unauthorized Administrative Actions

CORS Misconfiguration in ConnectWise Control Allows Unauthorized Administrative Actions

CVE-2019-16517 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is a CORS misconfiguration, which reflected the Origin provided by incoming requests. This allowed JavaScript running on any domain to interact with the server APIs and perform administrative actions, without the victim's knowledge.

Learn more about our Cis Benchmark Audit For Server Software.