Windows Unquoted Service Path Enumeration

The Unquoted Service Path vulnerability is present if a Windows Service has:

  • an executable path that contains spaces and isn’t enclosed within quotes and
  • if the vulnerable service is running with SYSTEM privilege level which most of the time it is

This potential vulnerability exists in Lime CRM Server versions before 2023.3.1040. Our recommendation is that you update to this server version or follow the guide in this KB to mitigate the issue.

You can mitigate this issue by opening the registry key The HKLM\SYSTEM\CurrentControlSet\Services registry tree. From there you can find the following services:

  • limepro-webfront
  • lime-task-scheduler
  • lime-task-handler
  • limepro-importer

Locate the services listed above and quote the value in the ImagePath key.

  • Last modified: 22 months ago
  • by Jens Gustafsson