Automate
CVE-2021-35066
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
An XXE vulnerability exists in ConnectWise Automate before 2021.0.6.132.
AnalysisAI
An XXE vulnerability exists in ConnectWise Automate before 2021.0.6.132. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as XML External Entity (XXE) (CWE-611), which allows attackers to read arbitrary files or perform SSRF through XML processing. An XXE vulnerability exists in ConnectWise Automate before 2021.0.6.132. Affected products include: Connectwise Automate. Version information: before 2021.0.6.132..
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Disable external entity processing in XML parsers, use JSON instead of XML where possible.
In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain acc
ConnectWise Automate through 2020.x has insufficient validation on certain authentication paths, allowing authentication
Code integrity failure in ConnectWise Automate Agent versions prior to 2026.5 allows adjacent network attackers to subst
Upload profile either through API or user interface in Chef Automate prior to and including version 4.10.29 using InSpec
The Agent Update System in ConnectWise Automate before 2020.8 allows Privilege Escalation because the _LTUPDATE folder h
Unencrypted client-server communications in ConnectWise Automate Solution Center expose sensitive data to network interc
Connectwise Automate 2022.11 is vulnerable to Clickjacking. Rated medium severity (CVSS 6.1), this vulnerability is remo
Connectwise Automate 2022.11 is vulnerable to Cleartext authentication. Rated medium severity (CVSS 5.9), this vulnerabi
In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain acc
Share
External POC / Exploit Code
Leaving vuln.today