Описание
MeshCentral is a full computer management web site. Versions prior to 1.1.21 a cross-site websocket hijacking (CSWSH) vulnerability within the control.ashx endpoint. This component is the primary mechanism used within MeshCentral to perform administrative actions on the server. The vulnerability is exploitable when an attacker is able to convince a victim end-user to click on a malicious link to a page hosting an attacker-controlled site. The attacker can then originate a cross-site websocket connection using client-side JavaScript code to connect to control.ashx as the victim user within MeshCentral. Version 1.1.21 contains a patch for this issue.
Ссылки
- Patch
- ExploitMitigationVendor Advisory
- Patch
- ExploitMitigationVendor Advisory
Уязвимые конфигурации
EPSS
8.3 High
CVSS3
8.8 High
CVSS3
Дефекты
Связанные уязвимости
MeshCentral cross-site websocket hijacking (CSWSH) vulnerability
Уязвимость системы удаленного управления устройствами MeshCentral, связанная с недостатками в механизме подтверждения источника данных, позволяющая нарушителю выполнить произвольный код
EPSS
8.3 High
CVSS3
8.8 High
CVSS3