M-Files: Security Vulnerabilities
Under rare conditions, the effective permissions of an object might be incorrectly calculated if the object has a specific configuration of metadata-driven permissions in M-Files Server versions 23.9, 23.10, and 23.11 before 23.11.13168.7, potentially enabling unauthorized access to the object.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-11-28
A possibility of unwanted server memory consumption was detected through the obsolete functionalities in the Rest API methods of the M-Files server
before 23.11.13156.0 which allows attackers to execute DoS attacks.
CVSS Score
5.7
EPSS Score
0.001
Published
2023-11-22
Missing access permissions checks
in the M-Files server before 23.11.13156.0 allow attackers to perform data write and export
jobs using the M-Files API methods.
CVSS Score
4.3
EPSS Score
0.001
Published
2023-11-22
Execution of downloaded content flaw in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows
Remote Code Execution
CVSS Score
8.6
EPSS Score
0.005
Published
2023-10-20
Insufficient blacklisting in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows
Remote Code Execution
via specific file types
CVSS Score
8.2
EPSS Score
0.009
Published
2023-10-20
Stored XSS Vulnerability in M-Files Classic Web versions before 23.10 and LTS Service Release Versions before 23.2 LTS SR4 and 23.8 LTS SR1allows attacker to execute script on users browser via stored HTML document.
CVSS Score
7.3
EPSS Score
0.001
Published
2023-10-20
Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server
CVSS Score
7.7
EPSS Score
0.001
Published
2023-08-25
Out-of-bounds read issue in M-Files Server versions below 23.8.12892.6 and LTS Service Release Versions before 23.2 LTS SR3 allows unauthenticated user to read restricted amount of bytes from memory.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-08-25
Unchecked parameter value in M-Files Server in versions before 23.6.12695.3 (excluding 23.2 SR2 and newer) allows anonymous user to cause denial of service
CVSS Score
7.5
EPSS Score
0.002
Published
2023-06-27
Missing access permissions checks in M-Files Client before 23.5.12598.0 (excluding 23.2 SR2 and newer) allows elevation of privilege via UI extension applications
CVSS Score
7.5
EPSS Score
0.0
Published
2023-05-25