IT service management software platform ConnectWise has released Software patches for a critical security vulnerability in Recover and R1Soft Server Backup Manager (SBM).
The issue, characterized as a “neutralization of Special Elements in Output Used by a Downstream Component,” could be abused to result in the execution of remote code or disclosure of sensitive information.
ConnectWise’s advisory notes that the flaw affects Recover v2.9.7 and earlier, as well as R1Soft SBM v6.16.3 and earlier, are impacted by the critical flaw.
At its core, the issue is tied to an upstream authentication bypass vulnerability in the ZK open source Ajax web application framework (CVE-2022-36537), which was initially patched in May 2022.
images from Hacker News