支持本站 — 捐款将帮助我们持续运营

目标:1000 元,已筹:736

73.6%
立即捐款
一、 漏洞 CVE-2026-0695 基础信息
漏洞信息
                                        # 时间录入审计日志存储型XSS漏洞

## 概述
ConnectWise PSA 在 2026.1 之前版本中,时间条目审计日志中的时间条目备注在显示时未对部分内容进行输出编码,可能导致存储型跨站脚本(XSS)漏洞。

## 影响版本
版本早于 2026.1 的 ConnectWise PSA。

## 细节
Time Entry Audit Trail 中存储的 Time Entry notes 在渲染时未正确应用输出编码,攻击者可利用该缺陷注入恶意脚本内容。当其他用户查看受影响的时间条目记录时,恶意脚本将在其浏览器上下文中执行。

## 影响
在特定条件下,可导致存储型 XSS,攻击者可能借此窃取会话信息、劫持用户操作或执行未经授权的操作。
神龙判断

是否为 Web 类漏洞: 未知

判断理由:

N/A
提示
尽管我们采用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
Stored XSS in Time Entry Audit Trail
来源:美国国家漏洞数据库 NVD
漏洞描述信息
In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user’s browser when the affected content is displayed.
来源:美国国家漏洞数据库 NVD
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
来源:美国国家漏洞数据库 NVD
漏洞类别
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
来源:美国国家漏洞数据库 NVD
二、漏洞 CVE-2026-0695 的公开POC
#POC 描述源链接神龙链接
三、漏洞 CVE-2026-0695 的情报信息

  • 标题: PSA Security Fix | January 15, 2026 -- 🔗来源链接

    标签:

    神龙速读:
                                            ### ConnectWise PSA 2026.1 Security Fix

- **Date:** 1/15/2026
- **Product(s):** ConnectWise PSA
- **Severity:** Important
- **Priority:** 2 - Moderate

#### Summary
In ConnectWise PSA versions prior to 2026.1, one condition in Time Entry note handling could permit stored script execution in both the PSA web client and PSA Desktop, and a separate condition could allow client-side access to certain session cookies. The PSA 2026.1 release updates input handling and session cookie configuration to address these issues, and we recommend upgrading to the latest available version.

#### Vulnerability

- **CVE-2026-0695**
  - **CWE ID:** CWE-79
  - **Description:** Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  - **Base Score:** 8.7
  - **Vector:** CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

- **CVE-2026-0696**
  - **CWE ID:** CWE-668
  - **Description:** Exposure of Resource to Wrong Sphere ('Resource Injection')
  - **Base Score:** 4.7
  - **Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

#### Recommended Severity
- 2 - Moderate: Vulnerabilities that are either being targeted or have higher risk of being targeted by exploits in the wild. Recommend installing updates as emergency changes or as soon as possible (e.g. within days).

#### Affected Versions
- All versions prior to 2026.1

#### Remediation

- **Cloud**
  - Cloud instances are automatically being updated to the latest ConnectWise PSA release.

- **On-premise**
  - Apply the 2026.1 release patches and ensure all desktop clients are up to date.
    PSA Security Fix | January 15, 2026
  • https://nvd.nist.gov/vuln/detail/CVE-2026-0695
四、漏洞 CVE-2026-0695 的评论

暂无评论

发表评论