Professional Service Automation
Monthly
Professional Service Automation contains a vulnerability that allows attackers to client-side scripts access to session cookie values (CVSS 6.5).
Stored cross-site scripting in ConnectWise PSA versions before 2026.1 allows authenticated users to inject malicious scripts into Time Entry notes that execute in other users' browsers when viewed in the audit trail. An attacker with legitimate access could leverage this to steal session tokens, perform unauthorized actions, or compromise other users within the PSA system. No patch is currently available.
In ConnectWise PSA versions older than 2025.9, a vulnerability exists where authenticated users could gain access to sensitive user information. Specific API requests were found to return an overly verbose user object, which included encrypted password hashes for other users. Authenticated users could then retrieve these hashes. An attacker or privileged user could then use these exposed hashes to conduct offline brute-force or dictionary attacks. Such attacks could lead to credential compromise, allowing unauthorized access to accounts, and potentially privilege escalation within the system.
Professional Service Automation contains a vulnerability that allows attackers to client-side scripts access to session cookie values (CVSS 6.5).
Stored cross-site scripting in ConnectWise PSA versions before 2026.1 allows authenticated users to inject malicious scripts into Time Entry notes that execute in other users' browsers when viewed in the audit trail. An attacker with legitimate access could leverage this to steal session tokens, perform unauthorized actions, or compromise other users within the PSA system. No patch is currently available.
In ConnectWise PSA versions older than 2025.9, a vulnerability exists where authenticated users could gain access to sensitive user information. Specific API requests were found to return an overly verbose user object, which included encrypted password hashes for other users. Authenticated users could then retrieve these hashes. An attacker or privileged user could then use these exposed hashes to conduct offline brute-force or dictionary attacks. Such attacks could lead to credential compromise, allowing unauthorized access to accounts, and potentially privilege escalation within the system.