A vulnerability, which was classified as problematic, was found in ConnectWise Manage 2017.5 (Network Management Software). Affected is an unknown functionality of the file services/system_io/actionprocessor/Contact.rails. The manipulation with an unknown input leads to a cross site scripting vulnerability. CWE is classifying the issue as CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. This is going to have an impact on integrity. CVE summarizes:

services/system_io/actionprocessor/Contact.rails in ConnectWise Manage 2017.5 allows arbitrary client-side JavaScript code execution (involving a ContactCommon field) on victims who click on a crafted link, aka XSS.

The bug was discovered 07/31/2017. The weakness was published 07/31/2017 (Website). The advisory is shared for download at becomepentester.blogspot.in. This vulnerability is traded as CVE-2017-11727 since 07/28/2017. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Successful exploitation requires user interaction by the victim. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1059.007.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Similar entry is available at 104699.

Productinfo

Type

• Network Management Software

Vendor

• ConnectWise

Name

• Manage

Version

• 2017.5

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion