支持本站 — 捐款将帮助我们持续运营

目标:1000 元,已筹:736

73.6%
立即捐款
一、 漏洞 CVE-2026-0696 基础信息
漏洞信息
                                        # 会话Cookie缺失HttpOnly属性

## 概述
ConnectWise PSA 在版本 2026.1 之前,部分会话 Cookie 未设置 HttpOnly 属性。

## 影响版本
版本早于 2026.1 的 ConnectWise PSA。

## 细节
相关会话 Cookie 缺少 HttpOnly 标志,可能导致客户端脚本读取这些 Cookie 的值。

## 影响
在特定条件下,攻击者可通过跨站脚本(XSS)等手段窃取会话 Cookie,实现会话劫持。
神龙判断

是否为 Web 类漏洞: 未知

判断理由:

N/A
提示
尽管我们采用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
Session Cookies Missing HttpOnly Attribute
来源:美国国家漏洞数据库 NVD
漏洞描述信息
In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values.
来源:美国国家漏洞数据库 NVD
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
来源:美国国家漏洞数据库 NVD
漏洞类别
没有’HttpOnly’标志的敏感Cookie
来源:美国国家漏洞数据库 NVD
二、漏洞 CVE-2026-0696 的公开POC
#POC 描述源链接神龙链接
三、漏洞 CVE-2026-0696 的情报信息

  • 标题: PSA Security Fix | January 15, 2026 -- 🔗来源链接

    标签:

    神龙速读:
                                            ### ConnectWise PSA 2026.1 Security Fix

- **Date:** 1/15/2026
- **Product(s):** ConnectWise PSA
- **Severity:** Important
- **Priority:** 2 - Moderate

#### Summary
In ConnectWise PSA versions prior to 2026.1, one condition in Time Entry note handling could permit stored script execution in both the PSA web client and PSA Desktop, and a separate condition could allow client-side access to certain session cookies. The PSA 2026.1 release updates input handling and session cookie configuration to address these issues, and we recommend upgrading to the latest available version.

#### Vulnerability

- **CVE-2026-0695**
  - **CWE ID:** CWE-79
  - **Description:** Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  - **Base Score:** 8.7
  - **Vector:** CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

- **CVE-2026-0696**
  - **CWE ID:** CWE-668
  - **Description:** Exposure of Resource to Wrong Sphere ('Resource Injection')
  - **Base Score:** 4.7
  - **Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

#### Recommended Severity
- 2 - Moderate: Vulnerabilities that are either being targeted or have higher risk of being targeted by exploits in the wild. Recommend installing updates as emergency changes or as soon as possible (e.g. within days).

#### Affected Versions
- All versions prior to 2026.1

#### Remediation

- **Cloud**
  - Cloud instances are automatically being updated to the latest ConnectWise PSA release.

- **On-premise**
  - Apply the 2026.1 release patches and ensure all desktop clients are up to date.
    PSA Security Fix | January 15, 2026
  • https://nvd.nist.gov/vuln/detail/CVE-2026-0696
四、漏洞 CVE-2026-0696 的评论

暂无评论

发表评论