Automate
CVE-2023-23126
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
Connectwise Automate 2022.11 is vulnerable to Clickjacking. The login screen can be iframed and used to manipulate users to perform unintended actions. NOTE: the vendor's position is that a Content-Security-Policy HTTP response header is present to block this attack.
AnalysisAI
Connectwise Automate 2022.11 is vulnerable to Clickjacking. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-1021. Connectwise Automate 2022.11 is vulnerable to Clickjacking. The login screen can be iframed and used to manipulate users to perform unintended actions. NOTE: the vendor's position is that a Content-Security-Policy HTTP response header is present to block this attack. Affected products include: Connectwise Automate.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain acc
An XXE vulnerability exists in ConnectWise Automate before 2021.0.6.132. Rated critical severity (CVSS 9.8), this vulner
ConnectWise Automate through 2020.x has insufficient validation on certain authentication paths, allowing authentication
Code integrity failure in ConnectWise Automate Agent versions prior to 2026.5 allows adjacent network attackers to subst
Upload profile either through API or user interface in Chef Automate prior to and including version 4.10.29 using InSpec
The Agent Update System in ConnectWise Automate before 2020.8 allows Privilege Escalation because the _LTUPDATE folder h
Unencrypted client-server communications in ConnectWise Automate Solution Center expose sensitive data to network interc
Connectwise Automate 2022.11 is vulnerable to Cleartext authentication. Rated medium severity (CVSS 5.9), this vulnerabi
In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain acc
Share
External POC / Exploit Code
Leaving vuln.today