Search criteria
4 vulnerabilities by meshcentral
CVE-2024-26135 (GCVE-0-2024-26135)
Vulnerability from cvelistv5 – Published: 2024-02-20 19:50 – Updated: 2025-04-22 16:26
VLAI?
Summary
MeshCentral is a full computer management web site. Versions prior to 1.1.21 a cross-site websocket hijacking (CSWSH) vulnerability within the control.ashx endpoint. This component is the primary mechanism used within MeshCentral to perform administrative actions on the server. The vulnerability is exploitable when an attacker is able to convince a victim end-user to click on a malicious link to a page hosting an attacker-controlled site. The attacker can then originate a cross-site websocket connection using client-side JavaScript code to connect to `control.ashx` as the victim user within MeshCentral. Version 1.1.21 contains a patch for this issue.
Severity ?
8.4 (High)
CWE
- CWE-346 - Origin Validation Error
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Ylianst | MeshCentral |
Affected:
< 1.1.21
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ylianst:meshcentral:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "meshcentral",
"vendor": "ylianst",
"versions": [
{
"lessThan": "1.1.21",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26135",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T15:46:41.513861Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T16:26:34.189Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:59:32.562Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Ylianst/MeshCentral/security/advisories/GHSA-cp68-qrhr-g9h8",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Ylianst/MeshCentral/security/advisories/GHSA-cp68-qrhr-g9h8"
},
{
"name": "https://github.com/Ylianst/MeshCentral/commit/f2e43cc6da9f5447dbff0948e6c6024c8a315af3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Ylianst/MeshCentral/commit/f2e43cc6da9f5447dbff0948e6c6024c8a315af3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MeshCentral",
"vendor": "Ylianst",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MeshCentral is a full computer management web site. Versions prior to 1.1.21 a cross-site websocket hijacking (CSWSH) vulnerability within the control.ashx endpoint. This component is the primary mechanism used within MeshCentral to perform administrative actions on the server. The vulnerability is exploitable when an attacker is able to convince a victim end-user to click on a malicious link to a page hosting an attacker-controlled site. The attacker can then originate a cross-site websocket connection using client-side JavaScript code to connect to `control.ashx` as the victim user within MeshCentral. Version 1.1.21 contains a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346: Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T19:50:30.723Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Ylianst/MeshCentral/security/advisories/GHSA-cp68-qrhr-g9h8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Ylianst/MeshCentral/security/advisories/GHSA-cp68-qrhr-g9h8"
},
{
"name": "https://github.com/Ylianst/MeshCentral/commit/f2e43cc6da9f5447dbff0948e6c6024c8a315af3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Ylianst/MeshCentral/commit/f2e43cc6da9f5447dbff0948e6c6024c8a315af3"
}
],
"source": {
"advisory": "GHSA-cp68-qrhr-g9h8",
"discovery": "UNKNOWN"
},
"title": "MeshCentral cross-site websocket hijacking (CSWSH) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-26135",
"datePublished": "2024-02-20T19:50:30.723Z",
"dateReserved": "2024-02-14T17:40:03.687Z",
"dateUpdated": "2025-04-22T16:26:34.189Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-51838 (GCVE-0-2023-51838)
Vulnerability from cvelistv5 – Published: 2024-02-02 00:00 – Updated: 2025-06-16 19:04
VLAI?
Summary
Ylianst MeshCentral 1.1.16 suffers from Use of a Broken or Risky Cryptographic Algorithm.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-51838",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-02T19:23:25.562899Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T19:04:35.179Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:48:11.854Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/tianjk99/Cryptographic-Misuses/blob/main/Bug_MeshCentral.md"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Ylianst/MeshCentral/tree/master"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/tianjk99/Cryptographic-Misuses/blob/main/CVE-2023-51838.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ylianst MeshCentral 1.1.16 suffers from Use of a Broken or Risky Cryptographic Algorithm."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-02T15:47:04.366Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/tianjk99/Cryptographic-Misuses/blob/main/Bug_MeshCentral.md"
},
{
"url": "https://github.com/Ylianst/MeshCentral/tree/master"
},
{
"url": "https://github.com/tianjk99/Cryptographic-Misuses/blob/main/CVE-2023-51838.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-51838",
"datePublished": "2024-02-02T00:00:00.000Z",
"dateReserved": "2023-12-26T00:00:00.000Z",
"dateUpdated": "2025-06-16T19:04:35.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-51837 (GCVE-0-2023-51837)
Vulnerability from cvelistv5 – Published: 2024-01-30 00:00 – Updated: 2025-05-29 15:08
VLAI?
Summary
Ylianst MeshCentral 1.1.16 is vulnerable to Missing SSL Certificate Validation.
Severity ?
9.8 (Critical)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:48:12.144Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/tianjk99/Cryptographic-Misuses/blob/main/Bug_MeshCentral.md"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Ylianst/MeshCentral/blob/master/mpsserver.js"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/tianjk99/Cryptographic-Misuses/blob/main/CVE-2023-51837.md"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-51837",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-09T23:34:02.476334Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-29T15:08:13.727Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ylianst MeshCentral 1.1.16 is vulnerable to Missing SSL Certificate Validation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-30T00:52:55.623Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/tianjk99/Cryptographic-Misuses/blob/main/Bug_MeshCentral.md"
},
{
"url": "https://github.com/Ylianst/MeshCentral/blob/master/mpsserver.js"
},
{
"url": "https://github.com/tianjk99/Cryptographic-Misuses/blob/main/CVE-2023-51837.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-51837",
"datePublished": "2024-01-30T00:00:00.000Z",
"dateReserved": "2023-12-26T00:00:00.000Z",
"dateUpdated": "2025-05-29T15:08:13.727Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-51842 (GCVE-0-2023-51842)
Vulnerability from cvelistv5 – Published: 2024-01-29 00:00 – Updated: 2025-06-02 19:34
VLAI?
Summary
An algorithm-downgrade issue was discovered in Ylianst MeshCentral 1.1.16.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:48:12.069Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/tianjk99/Cryptographic-Misuses/blob/main/Bug_MeshCentral.md"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Ylianst/MeshCentral/tree/master"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/tianjk99/Cryptographic-Misuses/blob/main/CVE-2023-51842.md"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-51842",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-02T19:22:04.904689Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T19:34:59.744Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An algorithm-downgrade issue was discovered in Ylianst MeshCentral 1.1.16."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-29T19:30:22.658Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/tianjk99/Cryptographic-Misuses/blob/main/Bug_MeshCentral.md"
},
{
"url": "https://github.com/Ylianst/MeshCentral/tree/master"
},
{
"url": "https://github.com/tianjk99/Cryptographic-Misuses/blob/main/CVE-2023-51842.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-51842",
"datePublished": "2024-01-29T00:00:00.000Z",
"dateReserved": "2023-12-26T00:00:00.000Z",
"dateUpdated": "2025-06-02T19:34:59.744Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}