Windows Unquoted Service Path Enumeration
The Unquoted Service Path vulnerability is present if a Windows Service has:
- an executable path that contains spaces and isn’t enclosed within quotes and
- if the vulnerable service is running with SYSTEM privilege level which most of the time it is
This potential vulnerability exists in Lime CRM Server versions before 2023.3.1040. Our recommendation is that you update to this server version or follow the guide in this KB to mitigate the issue.
You can mitigate this issue by opening the registry key The HKLM\SYSTEM\CurrentControlSet\Services
registry tree. From there you can find the following services:
- limepro-webfront
- lime-task-scheduler
- lime-task-handler
- limepro-importer
Locate the services listed above and quote the value in the ImagePath key.