CVE-2024-26135

Name of the Vulnerable Software and Affected Versions MeshCentral versions prior to 1.1.21

Description The issue is a cross-site websocket hijacking (CSWSH) vulnerability within the "control.ashx" endpoint, which is the primary mechanism used to perform administrative actions on the server. This vulnerability can be exploited when an attacker convinces a victim to click on a malicious link, allowing the attacker to originate a cross-site websocket connection using client-side JavaScript code. The attacker can then connect to "control.ashx" as the victim user within MeshCentral. The vulnerability is patched in version 1.1.21.

Recommendations To remediate this vulnerability, inspect the origin header when websocket connections are established to "control.ashx" and other websocket endpoints. Verify that the origin header sent to the server matches an allowlisted origin. This would prevent an attacker from originating a cross-site websocket connection from an untrusted site. For versions prior to 1.1.21, update to version 1.1.21 or later to patch the issue. As a temporary workaround, consider restricting access to the "control.ashx" endpoint to minimize the risk of exploitation.