Search criteria
6 vulnerabilities found for PSA by ConnectWise
CVE-2026-0695 (GCVE-0-2026-0695)
Vulnerability from nvd – Published: 2026-01-16 13:34 – Updated: 2026-01-27 12:14
VLAI?
Title
Stored XSS in Time Entry Audit Trail
Summary
In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user’s browser when the affected content is displayed.
Severity ?
8.7 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ConnectWise | PSA |
Affected:
All versions prior to 2026.1
|
Credits
Petar Sever (The Missing Link)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0695",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-16T14:07:34.050146Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-16T14:07:48.888Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"PSA Web Application and PSA Desktop Client"
],
"product": "PSA",
"vendor": "ConnectWise",
"versions": [
{
"status": "affected",
"version": "All versions prior to 2026.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Petar Sever (The Missing Link)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user\u2019s browser when the affected content is displayed."
}
],
"value": "In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user\u2019s browser when the affected content is displayed."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T12:14:38.371Z",
"orgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49",
"shortName": "ConnectWise"
},
"references": [
{
"url": "https://www.connectwise.com/company/trust/security-bulletins/2026-01-15-psa-security-fix"
},
{
"url": "https://www.themissinglink.com.au/security-advisories/cve-2026-0695"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003eCloud\u003c/b\u003e\u003cbr\u003eCloud instances are automatically being updated to the latest ConnectWise PSA release.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eOn-premise\u003c/b\u003e\u003cbr\u003eApply the 2026.1 release patches and ensure all desktop clients are up to date.\u003cbr\u003e\n\n\u003cbr\u003e"
}
],
"value": "Cloud\nCloud instances are automatically being updated to the latest ConnectWise PSA release.\n\nOn-premise\nApply the 2026.1 release patches and ensure all desktop clients are up to date."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored XSS in Time Entry Audit Trail",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49",
"assignerShortName": "ConnectWise",
"cveId": "CVE-2026-0695",
"datePublished": "2026-01-16T13:34:42.833Z",
"dateReserved": "2026-01-07T21:31:57.230Z",
"dateUpdated": "2026-01-27T12:14:38.371Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0696 (GCVE-0-2026-0696)
Vulnerability from nvd – Published: 2026-01-16 13:34 – Updated: 2026-01-27 12:14
VLAI?
Title
Session Cookies Missing HttpOnly Attribute
Summary
In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values.
Severity ?
6.5 (Medium)
CWE
- CWE-1004 - Sensitive Cookie Without 'HttpOnly' Flag
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ConnectWise | PSA |
Affected:
All versions prior to 2026.1
|
Credits
Petar Sever (The Missing Link)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0696",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-16T14:06:51.958037Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-16T14:07:10.948Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"PSA Desktop Client"
],
"product": "PSA",
"vendor": "ConnectWise",
"versions": [
{
"status": "affected",
"version": "All versions prior to 2026.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Petar Sever (The Missing Link)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values."
}
],
"value": "In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values."
}
],
"impacts": [
{
"capecId": "CAPEC-593",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-593 Session Hijacking"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1004",
"description": "CWE-1004 Sensitive Cookie Without \u0027HttpOnly\u0027 Flag",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T12:14:05.158Z",
"orgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49",
"shortName": "ConnectWise"
},
"references": [
{
"url": "https://www.connectwise.com/company/trust/security-bulletins/2026-01-15-psa-security-fix"
},
{
"url": "https://www.themissinglink.com.au/security-advisories/cve-2026-0696"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003eCloud\u003c/b\u003e\u003cbr\u003eCloud instances are automatically being updated to the latest ConnectWise PSA release.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eOn-premise\u003c/b\u003e\u003cbr\u003eApply the 2026.1 release patches and ensure all desktop clients are up to date.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Cloud\nCloud instances are automatically being updated to the latest ConnectWise PSA release.\n\nOn-premise\nApply the 2026.1 release patches and ensure all desktop clients are up to date."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Session Cookies Missing HttpOnly Attribute",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49",
"assignerShortName": "ConnectWise",
"cveId": "CVE-2026-0696",
"datePublished": "2026-01-16T13:34:49.042Z",
"dateReserved": "2026-01-07T21:32:00.544Z",
"dateUpdated": "2026-01-27T12:14:05.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-7204 (GCVE-0-2025-7204)
Vulnerability from nvd – Published: 2025-07-09 14:50 – Updated: 2025-07-10 11:35
VLAI?
Title
Exposure of password hashes via API responses in ConnectWise PSA
Summary
In ConnectWise PSA versions older than 2025.9, a
vulnerability exists where authenticated users could gain access to sensitive
user information. Specific API requests were found to return an overly verbose
user object, which included encrypted password hashes for other users.
Authenticated users could then retrieve these hashes.
An
attacker or privileged user could then use these exposed hashes to conduct
offline brute-force or dictionary attacks. Such attacks could lead to
credential compromise, allowing unauthorized access to accounts, and
potentially privilege escalation within the system.
Severity ?
6.5 (Medium)
CWE
- CWE-201 - Insertion of Sensitive Information Into Sent Data
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ConnectWise | PSA |
Affected:
All versions prior to 2025.9
|
Credits
Michael Newton (The Missing Link)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7204",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-09T15:57:27.486627Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-09T15:57:34.717Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PSA",
"vendor": "ConnectWise",
"versions": [
{
"status": "affected",
"version": "All versions prior to 2025.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Newton (The Missing Link)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn ConnectWise PSA versions older than 2025.9, a\nvulnerability exists where authenticated users could gain access to sensitive\nuser information. Specific API requests were found to return an overly verbose\nuser object, which included encrypted password hashes for other users.\nAuthenticated users could then retrieve these hashes.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eAn\nattacker or privileged user could then use these exposed hashes to conduct\noffline brute-force or dictionary attacks. Such attacks could lead to\ncredential compromise, allowing unauthorized access to accounts, and\npotentially privilege escalation within the system.\u003c/p\u003e\n\n\n\n\n\n\u003cb\u003e\u003c/b\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "In ConnectWise PSA versions older than 2025.9, a\nvulnerability exists where authenticated users could gain access to sensitive\nuser information. Specific API requests were found to return an overly verbose\nuser object, which included encrypted password hashes for other users.\nAuthenticated users could then retrieve these hashes.\u00a0\n\n\n\nAn\nattacker or privileged user could then use these exposed hashes to conduct\noffline brute-force or dictionary attacks. Such attacks could lead to\ncredential compromise, allowing unauthorized access to accounts, and\npotentially privilege escalation within the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201 Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T11:35:40.506Z",
"orgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49",
"shortName": "ConnectWise"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.connectwise.com/company/trust/security-bulletins/connectwise-psa-2025.9-security-fix"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.themissinglink.com.au/security-advisories/cve-2025-7204"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cb\u003eCloud:\u003c/b\u003e\u003cbr\u003eCloud instances are automatically being updated to the latest ConnectWise PSA release.\u0026nbsp;\u003cbr\u003e\u003cbr\u003e\u003cb\u003eOn-Premise:\u003c/b\u003e\u003cbr\u003eApply the 2025.9 release patches and ensure all desktop clients are up to date.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\n\n\n\n\n\n\u003cbr\u003e"
}
],
"value": "Cloud:\nCloud instances are automatically being updated to the latest ConnectWise PSA release.\u00a0\n\nOn-Premise:\nApply the 2025.9 release patches and ensure all desktop clients are up to date."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Exposure of password hashes via API responses in ConnectWise PSA",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49",
"assignerShortName": "ConnectWise",
"cveId": "CVE-2025-7204",
"datePublished": "2025-07-09T14:50:36.477Z",
"dateReserved": "2025-07-07T11:30:08.002Z",
"dateUpdated": "2025-07-10T11:35:40.506Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-0696 (GCVE-0-2026-0696)
Vulnerability from cvelistv5 – Published: 2026-01-16 13:34 – Updated: 2026-01-27 12:14
VLAI?
Title
Session Cookies Missing HttpOnly Attribute
Summary
In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values.
Severity ?
6.5 (Medium)
CWE
- CWE-1004 - Sensitive Cookie Without 'HttpOnly' Flag
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ConnectWise | PSA |
Affected:
All versions prior to 2026.1
|
Credits
Petar Sever (The Missing Link)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0696",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-16T14:06:51.958037Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-16T14:07:10.948Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"PSA Desktop Client"
],
"product": "PSA",
"vendor": "ConnectWise",
"versions": [
{
"status": "affected",
"version": "All versions prior to 2026.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Petar Sever (The Missing Link)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values."
}
],
"value": "In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values."
}
],
"impacts": [
{
"capecId": "CAPEC-593",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-593 Session Hijacking"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1004",
"description": "CWE-1004 Sensitive Cookie Without \u0027HttpOnly\u0027 Flag",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T12:14:05.158Z",
"orgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49",
"shortName": "ConnectWise"
},
"references": [
{
"url": "https://www.connectwise.com/company/trust/security-bulletins/2026-01-15-psa-security-fix"
},
{
"url": "https://www.themissinglink.com.au/security-advisories/cve-2026-0696"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003eCloud\u003c/b\u003e\u003cbr\u003eCloud instances are automatically being updated to the latest ConnectWise PSA release.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eOn-premise\u003c/b\u003e\u003cbr\u003eApply the 2026.1 release patches and ensure all desktop clients are up to date.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Cloud\nCloud instances are automatically being updated to the latest ConnectWise PSA release.\n\nOn-premise\nApply the 2026.1 release patches and ensure all desktop clients are up to date."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Session Cookies Missing HttpOnly Attribute",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49",
"assignerShortName": "ConnectWise",
"cveId": "CVE-2026-0696",
"datePublished": "2026-01-16T13:34:49.042Z",
"dateReserved": "2026-01-07T21:32:00.544Z",
"dateUpdated": "2026-01-27T12:14:05.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0695 (GCVE-0-2026-0695)
Vulnerability from cvelistv5 – Published: 2026-01-16 13:34 – Updated: 2026-01-27 12:14
VLAI?
Title
Stored XSS in Time Entry Audit Trail
Summary
In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user’s browser when the affected content is displayed.
Severity ?
8.7 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ConnectWise | PSA |
Affected:
All versions prior to 2026.1
|
Credits
Petar Sever (The Missing Link)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0695",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-16T14:07:34.050146Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-16T14:07:48.888Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"PSA Web Application and PSA Desktop Client"
],
"product": "PSA",
"vendor": "ConnectWise",
"versions": [
{
"status": "affected",
"version": "All versions prior to 2026.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Petar Sever (The Missing Link)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user\u2019s browser when the affected content is displayed."
}
],
"value": "In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user\u2019s browser when the affected content is displayed."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T12:14:38.371Z",
"orgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49",
"shortName": "ConnectWise"
},
"references": [
{
"url": "https://www.connectwise.com/company/trust/security-bulletins/2026-01-15-psa-security-fix"
},
{
"url": "https://www.themissinglink.com.au/security-advisories/cve-2026-0695"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003eCloud\u003c/b\u003e\u003cbr\u003eCloud instances are automatically being updated to the latest ConnectWise PSA release.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eOn-premise\u003c/b\u003e\u003cbr\u003eApply the 2026.1 release patches and ensure all desktop clients are up to date.\u003cbr\u003e\n\n\u003cbr\u003e"
}
],
"value": "Cloud\nCloud instances are automatically being updated to the latest ConnectWise PSA release.\n\nOn-premise\nApply the 2026.1 release patches and ensure all desktop clients are up to date."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored XSS in Time Entry Audit Trail",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49",
"assignerShortName": "ConnectWise",
"cveId": "CVE-2026-0695",
"datePublished": "2026-01-16T13:34:42.833Z",
"dateReserved": "2026-01-07T21:31:57.230Z",
"dateUpdated": "2026-01-27T12:14:38.371Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-7204 (GCVE-0-2025-7204)
Vulnerability from cvelistv5 – Published: 2025-07-09 14:50 – Updated: 2025-07-10 11:35
VLAI?
Title
Exposure of password hashes via API responses in ConnectWise PSA
Summary
In ConnectWise PSA versions older than 2025.9, a
vulnerability exists where authenticated users could gain access to sensitive
user information. Specific API requests were found to return an overly verbose
user object, which included encrypted password hashes for other users.
Authenticated users could then retrieve these hashes.
An
attacker or privileged user could then use these exposed hashes to conduct
offline brute-force or dictionary attacks. Such attacks could lead to
credential compromise, allowing unauthorized access to accounts, and
potentially privilege escalation within the system.
Severity ?
6.5 (Medium)
CWE
- CWE-201 - Insertion of Sensitive Information Into Sent Data
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ConnectWise | PSA |
Affected:
All versions prior to 2025.9
|
Credits
Michael Newton (The Missing Link)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7204",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-09T15:57:27.486627Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-09T15:57:34.717Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PSA",
"vendor": "ConnectWise",
"versions": [
{
"status": "affected",
"version": "All versions prior to 2025.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Newton (The Missing Link)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn ConnectWise PSA versions older than 2025.9, a\nvulnerability exists where authenticated users could gain access to sensitive\nuser information. Specific API requests were found to return an overly verbose\nuser object, which included encrypted password hashes for other users.\nAuthenticated users could then retrieve these hashes.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eAn\nattacker or privileged user could then use these exposed hashes to conduct\noffline brute-force or dictionary attacks. Such attacks could lead to\ncredential compromise, allowing unauthorized access to accounts, and\npotentially privilege escalation within the system.\u003c/p\u003e\n\n\n\n\n\n\u003cb\u003e\u003c/b\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "In ConnectWise PSA versions older than 2025.9, a\nvulnerability exists where authenticated users could gain access to sensitive\nuser information. Specific API requests were found to return an overly verbose\nuser object, which included encrypted password hashes for other users.\nAuthenticated users could then retrieve these hashes.\u00a0\n\n\n\nAn\nattacker or privileged user could then use these exposed hashes to conduct\noffline brute-force or dictionary attacks. Such attacks could lead to\ncredential compromise, allowing unauthorized access to accounts, and\npotentially privilege escalation within the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201 Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T11:35:40.506Z",
"orgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49",
"shortName": "ConnectWise"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.connectwise.com/company/trust/security-bulletins/connectwise-psa-2025.9-security-fix"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.themissinglink.com.au/security-advisories/cve-2025-7204"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cb\u003eCloud:\u003c/b\u003e\u003cbr\u003eCloud instances are automatically being updated to the latest ConnectWise PSA release.\u0026nbsp;\u003cbr\u003e\u003cbr\u003e\u003cb\u003eOn-Premise:\u003c/b\u003e\u003cbr\u003eApply the 2025.9 release patches and ensure all desktop clients are up to date.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\n\n\n\n\n\n\u003cbr\u003e"
}
],
"value": "Cloud:\nCloud instances are automatically being updated to the latest ConnectWise PSA release.\u00a0\n\nOn-Premise:\nApply the 2025.9 release patches and ensure all desktop clients are up to date."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Exposure of password hashes via API responses in ConnectWise PSA",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49",
"assignerShortName": "ConnectWise",
"cveId": "CVE-2025-7204",
"datePublished": "2025-07-09T14:50:36.477Z",
"dateReserved": "2025-07-07T11:30:08.002Z",
"dateUpdated": "2025-07-10T11:35:40.506Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}