ConnectWise Control before 22.9.10032 (formerly known as ScreenConnect) fails to validate user-supplied parameters such as the Bin/ConnectWiseControl.Client.exe h parameter. This results in reflected data and injection of malicious code into a downloaded executable. The executable can be used to execute malicious queries or as a denial-of-service vector. NOTE: this CVE Record is only about the parameters, such as the h parameter (this CVE Record is not about the separate issue of signed executable files that are supposed to have unique configurations across customers' installations).
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2023-02-13T00:00:00
Updated: 2023-03-05T00:00:00
Reserved: 2023-02-13T00:00:00
Link: CVE-2023-25719
JSON object: View
NVD Information
Status : Modified
Published: 2023-02-13T20:15:11.110
Modified: 2023-03-05T20:15:09.103
Link: CVE-2023-25719
JSON object: View
Redhat Information
No data.
CWE