CVE-2024-26135: 
JavaScript vulnerability analysis and mitigation

MeshCentral, a web-based remote monitoring and endpoint management solution, was found to contain a cross-site websocket hijacking (CSWSH) vulnerability (CVE-2024-26135) in versions prior to 1.1.21. The vulnerability exists within the control.ashx endpoint, which is the primary mechanism used for performing administrative actions on the server. The issue was discovered in early 2024 and was patched in version 1.1.21 (GitHub Advisory, NVD).

The vulnerability is classified as a cross-site websocket hijacking (CSWSH) issue with a CVSS v3.1 base score of 8.8 HIGH (NIST) and 8.3 HIGH (GitHub). The vulnerability stems from insufficient origin validation in the control.ashx endpoint, which allows attackers to establish cross-site websocket connections. While the application implements SameSite=Lax security settings on cookies, this protection can be bypassed in certain scenarios, particularly when an attacker compromises an adjacent subdomain (Praetorian).

Successful exploitation of this vulnerability can result in complete compromise of the victim user's account with persistent access. An attacker can read the server configuration file to leak the sessionKey variable, generate login tokens, and create authentication cookies. This access could potentially lead to compromise of all nodes managed by the impacted MeshCentral instance (Praetorian).

The vulnerability has been patched in MeshCentral version 1.1.21. The fix involves implementing proper origin header inspection when websocket connections are established to control.ashx and other websocket endpoints. Organizations should verify that the origin header sent to the server matches an allowlisted origin to prevent cross-site websocket connections from untrusted sites (GitHub Patch).