Remote monitoring and management (RMM) platform ConnectWise has patched a cross-site scripting (XSS) vulnerability that could lead to remote code execution (RCE).
Security researchers at Guardio Labs wrote about the flaw earlier this week, saying threat actors could exploit it to take complete control of the ConnectWise platform.
“After testing and validating several attack vectors, we have found that in the case of the Page.Title resource, the [user input validation] is not being taken care of, leaving it vulnerable to a ‘Stored XSS’ exploitation,” reads the Guardio Labs advisory.
“The user’s input is inserted directly, as is, in between the tags on any page of the web app.”
The security company also added that this included the landing page for visitors (where they could enter their support code and potentially install a remote access Trojan), the admin login page and any of the internal admin pages.
“Any code we maliciously inject in between the tags with some manipulations is executed as any other code in the context of the web app – as if it was authored by the official owner of the service.”
Guardio Labs explained that a script executing from this context would give an attacker full control over any element of the web app, potentially altering elements on the page, as well as connection to the backend servers.
“This can harm any potential visitor [or] be used to abuse the hosting services itself – allowing misuse of ConnectWise hosting, identity, and certificate to serve malicious code or gain full access to admin pages even after the trial period is over,” reads the technical write-up.
Guardio Labs confirmed it disclosed the vulnerability earlier this year, which ConnectWise promptly patched on August 8, 2022, in v22.6.
“As requested by ConnectWise, we waited at least 30 more days before this disclosure so on-prem users will get the chance to update their installations as well,” clarified the company.
The fix comes weeks after IBM discovered an RCE vulnerability in Cobalt Strike deriving from an existing and partially unpatched XSS flaw.