Information Disclosure Vulnerability in Connectwise Control by Connectwise
CVE-2023-23127

5.3MEDIUM

Key Information:

Vendor: Connectwise
Status: Connectwise
Vendor: CVE Published:; 1 February 2023

🔔 Create Connectwise Vulnerability Alert

What is CVE-2023-23127?

In Connectwise Control version 22.8.10013.8329, the login page is vulnerable due to the absence of HTTP Strict Transport Security (HSTS) headers. This oversight can lead to vulnerabilities that allow attackers to intercept unsecured HTTP traffic. Although the vendor states that users can opt to use HTTP during troubleshooting via configuration settings, this approach compromises security by potentially exposing sensitive data to threats. It’s essential for users to ensure that HSTS is enabled in their setup to mitigate risks associated with this vulnerability.

References

https://github.com/l00neyhacker/CVE-2023-23127

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 1, 2023
Vulnerability Reserved
Jan 11, 2023