CVE-2023-51837: 
JavaScript vulnerability analysis and mitigation

Ylianst MeshCentral 1.1.16 is vulnerable to Missing SSL Certificate Validation. The vulnerability was discovered in multiple components of the application, including mpsserver.js and several other modules. This security issue was assigned CVE-2023-51837 and affects the core functionality of the application's network request handling (GitHub Advisory).

The vulnerability stems from the application's network request configuration where the 'rejectUnauthorized' attribute is set to false. This property is specifically used for verifying server certificates in HTTPS connections. When set to false, the application bypasses certificate validation, potentially compromising the security of HTTPS connections. The issue was identified in multiple files including mpsserver.js, amt-redir-duk.js, and rdp/core/layer.js. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

The vulnerability can lead to serious security implications including information disclosure and privilege escalation. By bypassing SSL certificate validation, the application becomes susceptible to man-in-the-middle attacks, potentially allowing attackers to intercept and manipulate sensitive data transmitted between the client and server (GitHub Advisory).

The vulnerability affects MeshCentral version 1.1.16. Users should ensure proper SSL certificate validation is implemented by setting appropriate validation parameters in the application's configuration. This includes ensuring 'rejectUnauthorized' is set to true for all HTTPS connections (GitHub Advisory).