CVE-2020-14159

EUVD-2020-6316
By using an Automate API in ConnectWise Automate before 2020.5.178, a remote authenticated user could execute commands and/or modifications within an individual Automate instance by triggering an SQL injection vulnerability in /LabTech/agent.aspx. This affects versions before 2019.12.337, 2020 before 2020.1.53, 2020.2 before 2020.2.85, 2020.3 before 2020.3.114, 2020.4 before 2020.4.143, and 2020.5 before 2020.5.178.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 73%
Affected Products (NVD)
VendorProductVersion
connectwiseautomate_api
𝑥
< 2019.12.337
connectwiseautomate_api
2020 ≤
𝑥
< 2020.1.53
connectwiseautomate_api
2020.2 ≤
𝑥
< 2020.2.85
connectwiseautomate_api
2020.3 ≤
𝑥
< 2020.3.114
connectwiseautomate_api
2020.4 ≤
𝑥
< 2020.4.143
connectwiseautomate_api
2020.5 ≤
𝑥
< 2020.5.178
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.connectwise.com/company/trust#tab1
https://www.connectwise.com/company/trust#tab1