(UPSTREAM) MeshCentral Security Vunlerability when version <1.1.20

[LPJon]

@wh1te909 Just reporting to make you aware that there has been a securty vulnerability reported for Meshcentral servers which are less than version 1.1.20. The link below will take you to the vulnerability explanation. I will note that I successfully manually updated Meshcentral myself to version 1.1.21 already but most users probably won't do that.

Here is the link: MeshCentral cross-site websocket hijacking (CSWSH) vulnerability

A possible breach has already been detected a few days ago and that link can be found here: "Accepted password for undefined" #5870

[wh1te909]

I am aware, and this isn't the place to report security vulns, please see our security policy I have already tested mesh version 1.1.21 and it will be in the next release. The mesh security vuln is not easily exploitable (requires the attacker to hijack a subdomain you own). The issue you linked about undefined user has nothing to do with the mesh vuln.

[LPJon]

@wh1te909 Umm.....that was my bad. Sorry for incorrectly reporting this. I was in a hurry and didn't look.