CVE-2020-14159

By using an Automate API in ConnectWise Automate before 2020.5.178, a remote authenticated user could execute commands and/or modifications within an individual Automate instance by triggering an SQL injection vulnerability in /LabTech/agent.aspx. This affects versions before 2019.12.337, 2020 before 2020.1.53, 2020.2 before 2020.2.85, 2020.3 before 2020.3.114, 2020.4 before 2020.4.143, and 2020.5 before 2020.5.178.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 72%
VendorProductVersion
connectwiseautomate_api
𝑥
< 2019.12.337
connectwiseautomate_api
2020 ≤
𝑥
< 2020.1.53
connectwiseautomate_api
2020.2 ≤
𝑥
< 2020.2.85
connectwiseautomate_api
2020.3 ≤
𝑥
< 2020.3.114
connectwiseautomate_api
2020.4 ≤
𝑥
< 2020.4.143
connectwiseautomate_api
2020.5 ≤
𝑥
< 2020.5.178
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.connectwise.com/company/trust#tab1
https://www.connectwise.com/company/trust#tab1