How severe is CVE-2024-26135?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.8 out of 10.

What type of vulnerability is CVE-2024-26135?

This is classified as CWE-346, which is a common weakness in software security.

CVE-2024-26135 - HIGH Severity | CVSS 8.8

Vulnerability Description

MeshCentral is a full computer management web site. Versions prior to 1.1.21 a cross-site websocket hijacking (CSWSH) vulnerability within the control.ashx endpoint. This component is the primary mechanism used within MeshCentral to perform administrative actions on the server. The vulnerability is exploitable when an attacker is able to convince a victim end-user to click on a malicious link to a page hosting an attacker-controlled site. The attacker can then originate a cross-site websocket connection using client-side JavaScript code to connect to `control.ashx` as the victim user within MeshCentral. Version 1.1.21 contains a patch for this issue.

Related Vulnerabilities

CVE-2017-8793

HIGH

CVSS:8.8(High)

An issue was discovered on Accellion FTA devices before FTA_9_12_180. By sending a POST request to home/seos/courier/web/wmProgressstat.html.php with an attacker domain in the acallow parameter, the d...

CWE-3462017

CVE-2018-6654

HIGH

CVSS:8.8(High)

The Grammarly extension before 2018-02-02 for Chrome allows remote attackers to discover authentication tokens via an 'action: "user"' request to iframe.gr_-ifr, because the exposure of these tokens i...

CWE-3462018

CVE-2020-11069

HIGH

CVSS:8.8(High)

In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can b...

CWE-3462020

CVE-2020-1408

HIGH

CVSS:8.8(High)

A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka 'Microsoft Graphics Remote Code Execution Vulnerability'.

CWE-3462020

CVE-2020-24772

HIGH

CVSS:8.8(High)

In Dreamacro Clash for Windows v0.11.4, an attacker could embed a malicious iframe in a website with a crafted URL that would launch the Clash Windows client and force it to open a remote SMB share. W...

CWE-3462020

CVE-2021-31718

HIGH

CVSS:8.8(High)

The server in npupnp before 4.1.4 is affected by DNS rebinding in the embedded web server (including UPnP SOAP and GENA endpoints), leading to remote code execution.

CWE-3462021