CVE-2023-23127

Published: Feb 1, 2023Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Exploitability: 1.6 / Impact: 3.6

Source: NVD

Description

In Connectwise Control 22.8.10013.8329, the login page does not implement HSTS headers therefore not enforcing HTTPS. NOTE: the vendor's position is that, by design, this is controlled by a configuration option in which a customer can choose to use HTTP (rather than HTTPS) during troubleshooting.

Affected (1)

Products: Connectwise: Connectwise

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Connectwise Connectwise	Version 22.8.10013.8329

Related CWEs

Missing Encryption of Sensitive Data

The product does not encrypt sensitive or critical information before storage or transmission.

References (2)

https://github.com/l00neyhacker/CVE-2023-23127

Source: cve@mitre.org

Third Party Advisory

https://github.com/l00neyhacker/CVE-2023-23127

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.