ConnectWise PSA Cross-Site Scripting Vulnerability in Time Entry Notes
Vulnerability
A cross-site scripting vulnerability has been identified in ConnectWise PSA versions prior to 2026.1. The issue arises because Time Entry notes in the Audit Trail may be displayed without proper output encoding. Under certain conditions, this could allow stored script code to execute in the context of the user's browser when the affected content is viewed. Additionally, in versions prior to 2026.1, certain session cookies were accessible on the client side without the 'HttpOnly' flag, which could expose sensitive information.
Impact
Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject and execute script code in the context of the user's browser. This could potentially lead to session hijacking or other malicious actions, depending on the nature of the injected script.
Remediation
Users are advised to upgrade to ConnectWise PSA version 2026.1 or later. For on-premise installations, apply the 2026.1 release patches and ensure all desktop clients are updated.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.