CVE-2020-14159
Last modified
CVE-2020-14159 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. By using an Automate API in ConnectWise Automate before 2020.5.178, a remote authenticated user could execute commands and/or modifications within an individual Automate instance by triggering an SQL injection vulnerability in /LabTech/agent.aspx. This affects versions before 2019.12.337, 2020 before 2020.1.53, 2020.2 before 2020.2.85, 2020.3 before 2020.3.114, 2020.4 before 2020.4.143, and 2020.5 before 2020.5.178.. EPSS estimates a 1.93% chance of exploitation in the next 30 days.
Description
By using an Automate API in ConnectWise Automate before 2020.5.178, a remote authenticated user could execute commands and/or modifications within an individual Automate instance by triggering an SQL injection vulnerability in /LabTech/agent.aspx. This affects versions before 2019.12.337, 2020 before 2020.1.53, 2020.2 before 2020.2.85, 2020.3 before 2020.3.114, 2020.4 before 2020.4.143, and 2020.5 before 2020.5.178.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Connectwise | Automate Api | < 2019.12.337 |
| Connectwise | Automate Api | >= 2020, < 2020.1.53 |
| Connectwise | Automate Api | >= 2020.2, < 2020.2.85 |
| Connectwise | Automate Api | >= 2020.3, < 2020.3.114 |
| Connectwise | Automate Api | >= 2020.4, < 2020.4.143 |
| Connectwise | Automate Api | >= 2020.5, < 2020.5.178 |
References
- https://www.connectwise.com/company/trust#tab1Vendor Advisory
- https://www.connectwise.com/company/trust#tab1Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-14159?
How severe is CVE-2020-14159?
How do I fix CVE-2020-14159?
Are you affected by CVE-2020-14159?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST