Description

In Connectwise Control 22.8.10013.8329, the login page does not implement HSTS headers therefore not enforcing HTTPS. NOTE: the vendor's position is that, by design, this is controlled by a configuration option in which a customer can choose to use HTTP (rather than HTTPS) during troubleshooting.

Related CPE's

a

connectwise

connectwise

22.8.10013.8329

Vulnerable

References

https://github.com/l00neyhacker/CVE-2023-23127

Third Party Advisory

Weaknesses

[email protected]

Primary
CWE-311

CVSS impact metrics

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

5.3 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2023-02-01T14:15:09.670

2 years ago

Last modified

2024-08-02T11:15:42.550

9 months ago