CWE-346
Allowed-with-ReviewOrigin Validation Error
Abstraction: Class · Status: Draft
The product does not properly verify that the source of data or communication is valid.
790 vulnerabilities reference this CWE, most recent first.
GHSA-C55V-343G-5XFF
Vulnerability from github – Published: 2026-06-19 21:15 – Updated: 2026-06-19 21:151. Overview
Craft CMS is vulnerable to Server-Side Request Forgery (SSRF) and Arbitrary JavaScript Injection through the /actions/app/resource-js endpoint. By exploiting the default permissive trustedHosts configuration, an attacker can poison the Host or X-Forwarded-Host header to manipulate the application’s $baseUrl. This bypasses the endpoint’s internal URL validation, forcing the backend Guzzle client to fetch a malicious payload from an attacker-controlled server and reflect it to the client with a Content-Type: application/javascript header.
2. Vulnerability Mechanism (Root Cause)
The vulnerability manifests when assetManager.cacheSourcePaths is set to false. The attack chain relies on three structural flaws and insecure defaults:
- A. Default Proxy Trust (
trustedHosts): Craft’s defaultGeneralConfig::$trustedHostsis set to['any']. This allows an attacker to bypass front-end web server (Nginx/Apache) strictHostheader validations by simply injecting anX-Forwarded-Hostheader. Yii2 will parse this and globally set$baseUrlto the attacker's domain. - B. Insecure HTTP Client (
actionResourceJs): InAppController::actionResourceJs(), thestr_starts_with($url, $baseUrl)validation is bypassed because$baseUrlis already poisoned by the attacker. The core then usesCraft::createGuzzleClient()->get($url). Unlike the GraphQL Asset fetcher, this Guzzle instance defaults toALLOW_REDIRECTS => true. - C. Forced JS Content-Type: The response fetched from the attacker's server is blindly returned to the user via
$this->asRaw()with the headerContent-Type: application/javascript.
3. Attack Scenario & Impact (Proof of Exploitability) This endpoint acts as a proxy, taking remote, unverified content and serving it as valid JavaScript. While the direct SSRF allows for internal network probing, the most devastating impact occurs when caching layers are involved.
If the Craft CMS instance is behind a caching layer, this vulnerability leads directly to Web Cache Poisoning:
- An unauthenticated attacker sends the poisoned request.
- The caching layer caches the malicious JavaScript response for the legitimate
/actions/app/resource-jsURI. - When an authenticated Administrator logs into the Control Panel, their browser loads the poisoned cached JavaScript (Stored XSS).
- The malicious script extracts
window.Craft.csrfTokenValueand silently sends a POST request to/admin/actions/plugins/install-plugin, achieving 1-Click Remote Code Execution (RCE) via Session Riding.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-RC1"
},
{
"fixed": "5.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-RC1"
},
{
"fixed": "4.18"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-55791"
],
"database_specific": {
"cwe_ids": [
"CWE-346"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T21:15:19Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "**1. Overview**\n\nCraft CMS is vulnerable to Server-Side Request Forgery (SSRF) and Arbitrary JavaScript Injection through the `/actions/app/resource-js` endpoint. By exploiting the default permissive `trustedHosts` configuration, an attacker can poison the `Host` or `X-Forwarded-Host` header to manipulate the application\u2019s `$baseUrl`. This bypasses the endpoint\u2019s internal URL validation, forcing the backend Guzzle client to fetch a malicious payload from an attacker-controlled server and reflect it to the client with a `Content-Type: application/javascript` header.\n\n**2. Vulnerability Mechanism (Root Cause)**\nThe vulnerability manifests when `assetManager.cacheSourcePaths` is set to `false`. The attack chain relies on three structural flaws and insecure defaults:\n\n- **A. Default Proxy Trust (`trustedHosts`):** Craft\u2019s default `GeneralConfig::$trustedHosts` is set to `[\u0027any\u0027]`. This allows an attacker to bypass front-end web server (Nginx/Apache) strict `Host` header validations by simply injecting an `X-Forwarded-Host` header. Yii2 will parse this and globally set `$baseUrl` to the attacker\u0027s domain.\n- **B. Insecure HTTP Client (`actionResourceJs`):** In `AppController::actionResourceJs()`, the `str_starts_with($url, $baseUrl)` validation is bypassed because `$baseUrl` is already poisoned by the attacker. The core then uses `Craft::createGuzzleClient()-\u003eget($url)`. Unlike the GraphQL Asset fetcher, this Guzzle instance defaults to `ALLOW_REDIRECTS =\u003e true`.\n- **C. Forced JS Content-Type:** The response fetched from the attacker\u0027s server is blindly returned to the user via `$this-\u003easRaw()` with the header `Content-Type: application/javascript`.\n\n**3. Attack Scenario \u0026 Impact (Proof of Exploitability)**\nThis endpoint acts as a proxy, taking remote, unverified content and serving it as valid JavaScript. While the direct SSRF allows for internal network probing, the most devastating impact occurs when caching layers are involved.\n\nIf the Craft CMS instance is behind a caching layer, this vulnerability leads directly to **Web Cache Poisoning**:\n\n1. An unauthenticated attacker sends the poisoned request.\n2. The caching layer caches the malicious JavaScript response for the legitimate `/actions/app/resource-js` URI.\n3. When an authenticated Administrator logs into the Control Panel, their browser loads the poisoned cached JavaScript (**Stored XSS**).\n4. The malicious script extracts `window.Craft.csrfTokenValue` and silently sends a POST request to `/admin/actions/plugins/install-plugin`, achieving **1-Click Remote Code Execution (RCE)** via Session Riding.",
"id": "GHSA-c55v-343g-5xff",
"modified": "2026-06-19T21:15:19Z",
"published": "2026-06-19T21:15:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-c55v-343g-5xff"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/pull/18559"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftcms/cms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs"
}
GHSA-C93P-H3CC-P7RR
Vulnerability from github – Published: 2026-05-21 15:34 – Updated: 2026-05-21 15:34An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2026-34927"
],
"database_specific": {
"cwe_ids": [
"CWE-346"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-21T14:16:45Z",
"severity": "HIGH"
},
"details": "An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.",
"id": "GHSA-c93p-h3cc-p7rr",
"modified": "2026-05-21T15:34:09Z",
"published": "2026-05-21T15:34:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34927"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/en-US/solution/KA-0023430"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CCH3-2VM3-V73J
Vulnerability from github – Published: 2025-04-20 03:50 – Updated: 2025-04-20 15:30open_actions.py in kitty before 0.41.0 does not ask for user confirmation before running a local executable file that may have been linked from an untrusted document (e.g., a document opened in KDE ghostwriter).
{
"affected": [],
"aliases": [
"CVE-2025-43929"
],
"database_specific": {
"cwe_ids": [
"CWE-346"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-20T03:15:36Z",
"severity": "MODERATE"
},
"details": "open_actions.py in kitty before 0.41.0 does not ask for user confirmation before running a local executable file that may have been linked from an untrusted document (e.g., a document opened in KDE ghostwriter).",
"id": "GHSA-cch3-2vm3-v73j",
"modified": "2025-04-20T15:30:35Z",
"published": "2025-04-20T03:50:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43929"
},
{
"type": "WEB",
"url": "https://github.com/kovidgoyal/kitty/commit/ce5cfdd9caf44c538af800a07162e1f49bd53c35"
},
{
"type": "WEB",
"url": "https://ghostwriter.kde.org/documentation/#links"
},
{
"type": "WEB",
"url": "https://github.com/0xBenCantCode/CVE-2025-43929"
},
{
"type": "WEB",
"url": "https://github.com/kovidgoyal/kitty/compare/v0.40.1...v0.41.0"
},
{
"type": "WEB",
"url": "https://hitman.services/cve-2025-43929"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CF9G-JHQF-GM5J
Vulnerability from github – Published: 2023-06-07 18:30 – Updated: 2024-04-04 04:39An issue has been discovered in GitLab EE affecting all versions starting from 12.0 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An attacker can clone a repository from a public project, from a disallowed IP, even after the top-level group has enabled IP restrictions on the group.
{
"affected": [],
"aliases": [
"CVE-2023-2589"
],
"database_specific": {
"cwe_ids": [
"CWE-346"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-07T17:15:10Z",
"severity": "MODERATE"
},
"details": "An issue has been discovered in GitLab EE affecting all versions starting from 12.0 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An attacker can clone a repository from a public project, from a disallowed IP, even after the top-level group has enabled IP restrictions on the group.",
"id": "GHSA-cf9g-jhqf-gm5j",
"modified": "2024-04-04T04:39:42Z",
"published": "2023-06-07T18:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2589"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1941803"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2589.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/407891"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CGJQ-P4Q9-CFJ7
Vulnerability from github – Published: 2022-04-30 18:12 – Updated: 2024-02-08 21:30Lynx 2.x does not properly distinguish between internal and external HTML, which may allow a local attacker to read a "secure" hidden form value from a temporary file and craft a LYNXOPTIONS: URL that causes Lynx to modify the user's configuration file and execute commands.
{
"affected": [],
"aliases": [
"CVE-1999-1549"
],
"database_specific": {
"cwe_ids": [
"CWE-346"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "1999-11-16T05:00:00Z",
"severity": "MODERATE"
},
"details": "Lynx 2.x does not properly distinguish between internal and external HTML, which may allow a local attacker to read a \"secure\" hidden form value from a temporary file and craft a LYNXOPTIONS: URL that causes Lynx to modify the user\u0027s configuration file and execute commands.",
"id": "GHSA-cgjq-p4q9-cfj7",
"modified": "2024-02-08T21:30:28Z",
"published": "2022-04-30T18:12:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-1999-1549"
},
{
"type": "WEB",
"url": "http://marc.info/?l=bugtraq\u0026m=94286509804526\u0026w=2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/804"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CGPV-8243-Q33X
Vulnerability from github – Published: 2023-06-08 15:30 – Updated: 2024-04-04 04:40Incorrect access control in the administrative functionalities of BES--6024PB-I50H1 VideoPlayTool v2.0.1.0 allow attackers to execute arbitrary administrative commands via a crafted payload sent to the desired endpoints.
{
"affected": [],
"aliases": [
"CVE-2023-33443"
],
"database_specific": {
"cwe_ids": [
"CWE-346"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-08T14:15:15Z",
"severity": "CRITICAL"
},
"details": "Incorrect access control in the administrative functionalities of BES--6024PB-I50H1 VideoPlayTool v2.0.1.0 allow attackers to execute arbitrary administrative commands via a crafted payload sent to the desired endpoints.",
"id": "GHSA-cgpv-8243-q33x",
"modified": "2024-04-04T04:40:33Z",
"published": "2023-06-08T15:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33443"
},
{
"type": "WEB",
"url": "https://gitlab.com/FallFur/exploiting-unprotected-admin-funcionalities-on-besder-ip-cameras"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CJ53-RX7H-6VM4
Vulnerability from github – Published: 2026-01-14 00:31 – Updated: 2026-01-14 00:31Prowise Reflect version 1.0.9 contains a remote keystroke injection vulnerability that allows attackers to send keyboard events through an exposed WebSocket on port 8082. Attackers can craft malicious web pages to inject keystrokes, opening applications and typing arbitrary text by sending specific WebSocket messages.
{
"affected": [],
"aliases": [
"CVE-2022-50925"
],
"database_specific": {
"cwe_ids": [
"CWE-346"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-13T23:15:56Z",
"severity": "HIGH"
},
"details": "Prowise Reflect version 1.0.9 contains a remote keystroke injection vulnerability that allows attackers to send keyboard events through an exposed WebSocket on port 8082. Attackers can craft malicious web pages to inject keystrokes, opening applications and typing arbitrary text by sending specific WebSocket messages.",
"id": "GHSA-cj53-rx7h-6vm4",
"modified": "2026-01-14T00:31:28Z",
"published": "2026-01-14T00:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50925"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/50796"
},
{
"type": "WEB",
"url": "https://www.prowise.com"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/prowise-reflect-remote-keystroke-injection"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-CP68-QRHR-G9H8
Vulnerability from github – Published: 2024-02-21 00:10 – Updated: 2024-02-21 00:10We have identified a cross-site websocket hijacking (CSWSH) vulnerability within the control.ashx endpoint of MeshCentral. This component is the primary mechanism used within MeshCentral to perform administrative actions on the server. To demonstrate the impact of the vulnerability we developed a proof-of-concept which leveraged the cross-site websocket hijacking vulnerability to read the server configuration file to leak the sessionKey variable, generating login tokens, and generating an authentication cookie.
The vulnerability is exploitable when an attacker is able to convince a victim end-user to click on a malicious link to a page hosting an attacker-controlled site. The attacker can then originate a cross-site websocket connection using client-side JavaScript code to connect to “control.ashx” as the victim user within MeshCentral. There are some caveats to exploiting this issue however as MeshCentral configures SameSite=Lax security setting on cookies which introduces some additional preconditions for exploitation which we cover in a subsequent section.
MeshCentral Version Tested
We performed testing against MeshCentral version 1.1.20 which appears to be the latest supported version of the application. This appears to have been the latest version of MeshCentral available at the time we performed testing of the application in January and February 2024 (see Figure 1 and Figure 2).
Figure 1: We determined that MeshCentral version 1.1.20 was the latest version available at the time we performed testing of the application.
Figure 2: We configured our test environment on an Ubuntu server running version 1.1.20 of the MeshCentral application server.
What about SameSite=Lax Cookie Settings?
One may make the counterpoint that the SameSite=Lax security setting (see Figure 4) effectively prevents cross-site websocket hijacking (CSWSH) issues as an attacker origin of attacker.com would not be within the same-site as the victim meshcentral server at say meshcentral.example.com. This means an attacker that is able to convince a user to click on a malicious link wouldn’t be able to successfully perform this attacker to the Lax setting with differing origins.
Unfortunately, this isn’t entirely correct as there is a core difference between same-site and same-origin policies within all modern browsers. In this case, while it’s valid to say that the attack wouldn’t work in the case of attacker.com targeting meshcentral.example.com when the SameSite setting is configured to Lax for session cookies, there are several other scenarios where an attacker could perform the attack successfully (see Figure 3).
Figure 3: A table from PortSwigger’s article on Bypassing SameSite Cookie Restrictions (source).
From our perspective, the most relevant scenario is when an attacker is able to compromise an adjacent subdomain either through a vector such as a system compromise, exploiting a subdomain takeover vulnerability, or through exploitation of a cross-site scripting vulnerability within an adjacent application running under the same domain. For example, if an attacker found a cross-site scripting issue on example.com or vulnerable.example.com they would then be able to leverage the cross-site scripting issues on those domains to target meshcentral.example.com. There are other factors which could also allow an attacker to bypass the SameSite=Lax setting to perform cross-site websocket hijacking. For a more comprehensive list please see Bypassing SameSite Cookie Restrictions from PortSwigger.
Figure 4: We observed that upon logging into MeshCentral the “xid” and “xid.sig” tokens were configured with the SameSite=Lax security settings.
Developing an Initial Proof-of-Concept Exploit
At this point we had a testing deployment of MeshCentral configured at meshcentral.example.com and simulated an attacker-compromised adjacent subdomain at evil.example.com. In this scenario, we assume the attacker exploited a subdomain takeover vulnerability to host malicious content on evil.example.com. Next, we developed a simple proof-of-concept payload which originated a cross-site websocket connection from the evil.example.com origin to meshcentral.example.com (see Figure 5).
Figure 5: An initial proof-of-concept exploit we developed which simply sent a ping-message over the websocket connection from evil.example.com targeting meshcentral.example.com. We then triggered the exploit payload as a user that was logged into the MeshCentral application as an administrator by browsing to evil.example.com with a valid session on meshcentral.example.com. We
observed a cross-site websocket connection to meshcentral.example.com with an origin header set to evil.example.com as it originated from the attacker domain (see Figure 6). The response indicated the connection was successful and we received the expected pong response to our ping message sent to the server.
Figure 6: We observed that when originating a websocket connection across origins the origin header was sent by the browser to the MeshCentral server indicating the origin which originated the cross-site websocket connection.
Demonstrating Impact
After confirming the vulnerability we then developed a more comprehensive exploit payload to demonstrate the impact of the vulnerability (see Figure 7). Our new payload sent the serverconfig, authcookie, and createLoginToken actions to the administrative component. The ability to issue a new login token then provided us with persistent access to the users account. The ability to read the serverconfig file allowed us to exfiltrate the session key used to sign sessions allowing the attacker to forge valid session tokens as arbitrary users on the system. Our payload then read the response from the server and exfiltrated the sensitive data exported from the system to an attacker-controlled system for storage purposes (see Figure 8).
Figure 7: A proof-of-concept exploit we developed for the cross-site websocket hijacking vulnerability resulting in complete compromise of the user’s account and persistent access to the MeshCentral application as the victim user.
Figure 8: We performed the attack using the exploit code shown in Figure AA to invoked the authcookie, serverconfig, and createLoginToken endpoints on the victim MeshCentral system leveraging the cross-site websocket hijacking vulnerability from evil.example.com.
After performing the attack successfully we used the issued login token to authenticate to MeshCental and access the console as the NT AUTHORITY\SYSTEM user for a windows agent which connected to the victim MeshCentral instance. This provided compromise of all the nodes within the impacted MeshCentral instance (see Figure 9 and Figure 10).
Figure 9: An attacker could leverage the login token created by the attacker to authenticate to MeshCentral and then leverage this access to compromise nodes managed by the impacted MeshCentral instance.
Figure 10: An attacker could leverage the cross-site websocket hijacking vulnerability to read the server configuration file of the MeshCentral system as an administrator to obtain the key used to encrypt sessions (sessionKey).
Remediation
To remediate this vulnerability we recommend inspecting the origin header when websocket connections are established to control.ashx and other websocket endpoints. Verify that the origin header sent to the server matches an allowlisted origin. This would prevent an attacker from originating a cross-site websocket connection from an untrusted site.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "meshcentral"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.21"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-26135"
],
"database_specific": {
"cwe_ids": [
"CWE-346"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-21T00:10:30Z",
"nvd_published_at": "2024-02-20T20:15:08Z",
"severity": "HIGH"
},
"details": "We have identified a cross-site websocket hijacking (CSWSH) vulnerability within the control.ashx endpoint of MeshCentral. This component is the primary mechanism used within MeshCentral to perform administrative actions on the server. To demonstrate the impact of the vulnerability we developed a proof-of-concept which leveraged the cross-site websocket hijacking vulnerability to read the server configuration file to leak the sessionKey variable, generating login tokens, and generating an authentication cookie.\n\nThe vulnerability is exploitable when an attacker is able to convince a victim end-user to click on a malicious link to a page hosting an attacker-controlled site. The attacker can then originate a cross-site websocket connection using client-side JavaScript code to connect to \u201ccontrol.ashx\u201d as the victim user within MeshCentral. There are some caveats to exploiting this issue however as MeshCentral configures `SameSite=Lax` security setting on cookies which introduces some additional preconditions for exploitation which we cover in a subsequent section.\n\n### MeshCentral Version Tested\nWe performed testing against MeshCentral version 1.1.20 which appears to be the latest supported version of the application. This appears to have been the latest version of MeshCentral available at the time we performed testing of the application in January and February 2024 (see Figure 1 and Figure 2).\n\n\nFigure 1: We determined that MeshCentral version 1.1.20 was the latest version available at the time we performed testing of the application.\n\n\nFigure 2: We configured our test environment on an Ubuntu server running version 1.1.20 of the MeshCentral application server.\n\n### What about SameSite=Lax Cookie Settings?\nOne may make the counterpoint that the `SameSite=Lax` security setting (see Figure 4) effectively prevents cross-site websocket hijacking (CSWSH) issues as an attacker origin of attacker.com would not be within the same-site as the victim meshcentral server at say meshcentral.example.com. This means an attacker that is able to convince a user to click on a malicious link wouldn\u2019t be able to successfully perform this attacker to the Lax setting with differing origins.\n\nUnfortunately, this isn\u2019t entirely correct as there is a core difference between same-site and same-origin policies within all modern browsers. In this case, while it\u2019s valid to say that the attack wouldn\u2019t work in the case of attacker.com targeting meshcentral.example.com when the SameSite setting is configured to Lax for session cookies, there are several other scenarios where an attacker could perform the attack successfully (see Figure 3).\n\n\nFigure 3: A table from PortSwigger\u2019s article on Bypassing SameSite Cookie Restrictions (source).\n\nFrom our perspective, the most relevant scenario is when an attacker is able to compromise an adjacent subdomain either through a vector such as a system compromise, exploiting a subdomain takeover vulnerability, or through exploitation of a cross-site scripting vulnerability within an adjacent application running under the same domain. For example, if an attacker found a cross-site scripting issue on example.com or vulnerable.example.com they would then be able to leverage the cross-site scripting issues on those domains to target meshcentral.example.com. There are other factors which could also allow an attacker to bypass the SameSite=Lax setting to perform cross-site websocket hijacking. For a more comprehensive list please see Bypassing SameSite Cookie Restrictions from PortSwigger.\n\n\nFigure 4: We observed that upon logging into MeshCentral the \u201cxid\u201d and \u201cxid.sig\u201d tokens were configured with the SameSite=Lax security settings.\n\n### Developing an Initial Proof-of-Concept Exploit\nAt this point we had a testing deployment of MeshCentral configured at meshcentral.example.com and simulated an attacker-compromised adjacent subdomain at evil.example.com. In this scenario, we assume the attacker exploited a subdomain takeover vulnerability to host malicious content on evil.example.com. Next, we developed a simple proof-of-concept payload which originated a cross-site websocket connection from the evil.example.com origin to meshcentral.example.com (see Figure 5).\n\n\nFigure 5: An initial proof-of-concept exploit we developed which simply sent a ping-message over the websocket connection from evil.example.com targeting meshcentral.example.com. We then triggered the exploit payload as a user that was logged into the MeshCentral application as an administrator by browsing to evil.example.com with a valid session on meshcentral.example.com. We\nobserved a cross-site websocket connection to meshcentral.example.com with an origin header set to evil.example.com as it originated from the attacker domain (see Figure 6). The response indicated the connection was successful and we received the expected pong response to our ping message sent to the server.\n\n\nFigure 6: We observed that when originating a websocket connection across origins the origin header was sent by the browser to the MeshCentral server indicating the origin which originated the cross-site websocket connection.\n\n### Demonstrating Impact\nAfter confirming the vulnerability we then developed a more comprehensive exploit payload to demonstrate the impact of the vulnerability (see Figure 7). Our new payload sent the serverconfig, authcookie, and createLoginToken actions to the administrative component. The ability to issue a new login token then provided us with persistent access to the users account. The ability to read the serverconfig file allowed us to exfiltrate the session key used to sign sessions allowing the attacker to forge valid session tokens as arbitrary users on the system. Our payload then read the response from the server and exfiltrated the sensitive data exported from the system to an attacker-controlled system for storage purposes (see Figure 8).\n\n\nFigure 7: A proof-of-concept exploit we developed for the cross-site websocket hijacking vulnerability resulting in complete compromise of the user\u2019s account and persistent access to the MeshCentral application as the victim user.\n\n\nFigure 8: We performed the attack using the exploit code shown in Figure AA to invoked the authcookie, serverconfig, and createLoginToken endpoints on the victim MeshCentral system leveraging the cross-site websocket hijacking vulnerability from evil.example.com.\n\nAfter performing the attack successfully we used the issued login token to authenticate to MeshCental and access the console as the NT AUTHORITY\\SYSTEM user for a windows agent which connected to the victim MeshCentral instance. This provided compromise of all the nodes within the impacted MeshCentral instance (see Figure 9 and Figure 10).\n\n\nFigure 9: An attacker could leverage the login token created by the attacker to authenticate to MeshCentral and then leverage this access to compromise nodes managed by the impacted MeshCentral instance.\n\n\nFigure 10: An attacker could leverage the cross-site websocket hijacking vulnerability to read the server configuration file of the MeshCentral system as an administrator to obtain the key used to encrypt sessions (sessionKey).\n\n### Remediation\nTo remediate this vulnerability we recommend inspecting the origin header when websocket connections are established to control.ashx and other websocket endpoints. Verify that the origin header sent to the server matches an allowlisted origin. This would prevent an attacker from originating a cross-site websocket connection from an untrusted site.",
"id": "GHSA-cp68-qrhr-g9h8",
"modified": "2024-02-21T00:10:30Z",
"published": "2024-02-21T00:10:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Ylianst/MeshCentral/security/advisories/GHSA-cp68-qrhr-g9h8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26135"
},
{
"type": "WEB",
"url": "https://github.com/Ylianst/MeshCentral/commit/f2e43cc6da9f5447dbff0948e6c6024c8a315af3"
},
{
"type": "PACKAGE",
"url": "https://github.com/Ylianst/MeshCentral"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "MeshCentral cross-site websocket hijacking (CSWSH) vulnerability"
}
GHSA-CPX9-G67G-V8C5
Vulnerability from github – Published: 2022-05-14 02:07 – Updated: 2025-10-22 00:31The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote attackers to bypass the Same Origin Policy, and read arbitrary files or gain privileges, via vectors involving crafted JavaScript code and a native setter, as exploited in the wild in August 2015.
{
"affected": [],
"aliases": [
"CVE-2015-4495"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-346"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2015-08-08T00:59:00Z",
"severity": "MODERATE"
},
"details": "The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote attackers to bypass the Same Origin Policy, and read arbitrary files or gain privileges, via vectors involving crafted JavaScript code and a native setter, as exploited in the wild in August 2015.",
"id": "GHSA-cpx9-g67g-v8c5",
"modified": "2025-10-22T00:31:11Z",
"published": "2022-05-14T02:07:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-4495"
},
{
"type": "WEB",
"url": "https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1178058"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1179262"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201512-10"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-4495"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/37772"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00009.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00010.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00014.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00015.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00021.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00016.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1581.html"
},
{
"type": "WEB",
"url": "http://www.mozilla.org/security/announce/2015/mfsa2015-78.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/76249"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1033216"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2707-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CQ7G-RMCX-793W
Vulnerability from github – Published: 2022-05-24 17:05 – Updated: 2023-02-01 15:30If two same-origin documents set document.domain differently to become cross-origin, it was possible for them to call arbitrary DOM methods/getters/setters on the now-cross-origin window. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2.
{
"affected": [],
"aliases": [
"CVE-2019-11762"
],
"database_specific": {
"cwe_ids": [
"CWE-346"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-01-08T20:15:00Z",
"severity": "MODERATE"
},
"details": "If two same-origin documents set document.domain differently to become cross-origin, it was possible for them to call arbitrary DOM methods/getters/setters on the now-cross-origin window. This vulnerability affects Firefox \u003c 70, Thunderbird \u003c 68.2, and Firefox ESR \u003c 68.2.",
"id": "GHSA-cq7g-rmcx-793w",
"modified": "2023-02-01T15:30:23Z",
"published": "2022-05-24T17:05:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11762"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1582857"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202003-10"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4335-1"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2019-33"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2019-34"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2019-35"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)
An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website.
CAPEC-141: Cache Poisoning
An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.
CAPEC-142: DNS Cache Poisoning
A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.
CAPEC-160: Exploit Script-Based APIs
Some APIs support scripting instructions as arguments. Methods that take scripted instructions (or references to scripted instructions) can be very flexible and powerful. However, if an attacker can specify the script that serves as input to these methods they can gain access to a great deal of functionality. For example, HTML pages support <script> tags that allow scripting languages to be embedded in the page and then interpreted by the receiving web browser. If the content provider is malicious, these scripts can compromise the client application. Some applications may even execute the scripts under their own identity (rather than the identity of the user providing the script) which can allow attackers to perform activities that would otherwise be denied to them.
CAPEC-21: Exploitation of Trusted Identifiers
An adversary guesses, obtains, or "rides" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.
CAPEC-384: Application API Message Manipulation via Man-in-the-Middle
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack can allow the attacker to gain unauthorized privileges within the application, or conduct attacks such as phishing, deceptive strategies to spread malware, or traditional web-application attacks. The techniques require use of specialized software that allow the attacker to perform adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system. Despite the use of AiTH software, the attack is actually directed at the server, as the client is one node in a series of content brokers that pass information along to the application framework. Additionally, it is not true "Adversary-in-the-Middle" attack at the network layer, but an application-layer attack the root cause of which is the master applications trust in the integrity of code supplied by the client.
CAPEC-385: Transaction or Event Tampering via Application API Manipulation
An attacker hosts or joins an event or transaction within an application framework in order to change the content of messages or items that are being exchanged. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, substitute one item or another, spoof an existing item and conduct a false exchange, or otherwise change the amounts or identity of what is being exchanged. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system in order to change the content of various application elements. Often, items exchanged in game can be monetized via sales for coin, virtual dollars, etc. The purpose of the attack is for the attack to scam the victim by trapping the data packets involved the exchange and altering the integrity of the transfer process.
CAPEC-386: Application API Navigation Remapping
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of links/buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains links/buttons that point to an attacker controlled destination. Some applications make navigation remapping more difficult to detect because the actual HREF values of images, profile elements, and links/buttons are masked. One example would be to place an image in a user's photo gallery that when clicked upon redirected the user to an off-site location. Also, traditional web vulnerabilities (such as CSRF) can be constructed with remapped buttons or links. In some cases navigation remapping can be used for Phishing attacks or even means to artificially boost the page view, user site reputation, or click-fraud.
CAPEC-387: Navigation Remapping To Propagate Malicious Content
An adversary manipulates either egress or ingress data from a client within an application framework in order to change the content of messages and thereby circumvent the expected application logic.
CAPEC-388: Application API Button Hijacking
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains buttons that point to an attacker controlled destination.
CAPEC-510: SaaS User Request Forgery
An adversary, through a previously installed malicious application, performs malicious actions against a third-party Software as a Service (SaaS) application (also known as a cloud based application) by leveraging the persistent and implicit trust placed on a trusted user's session. This attack is executed after a trusted user is authenticated into a cloud service, "piggy-backing" on the authenticated session, and exploiting the fact that the cloud service believes it is only interacting with the trusted user. If successful, the actions embedded in the malicious application will be processed and accepted by the targeted SaaS application and executed at the trusted user's privilege level.
CAPEC-59: Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
CAPEC-60: Reusing Session IDs (aka Session Replay)
This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
CAPEC-75: Manipulating Writeable Configuration Files
Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
CAPEC-89: Pharming
A pharming attack occurs when the victim is fooled into entering sensitive data into supposedly trusted locations, such as an online bank site or a trading platform. An attacker can impersonate these supposedly trusted sites and have the victim be directed to their site rather than the originally intended one. Pharming does not require script injection or clicking on malicious links for the attack to succeed.