Lucene search

[email protected]CVE-2022-4862

HistoryMar 06, 2023 - 11:15 a.m.

CVE-2022-4862

2023-03-0611:15:10

CWE-79

CWE-200

[email protected]

web.nvd.nist.gov

cve-2022-4862

information security

html rendering

user authentication

data theft

nvd

7.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

7.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

27.4%

JSON

Rendering of HTML provided by another authenticated user is possible in browser on M-Files Web before 22.12.12140.3. This allows the content to steal user sensitive information.

This issue affects M-Files New Web: before 22.12.12140.3.

Affected configurations

NVD

Node

m-filesm-files_serverRange<22.12.12140.3

CPENameOperatorVersion
m-files:m-files_serverm-files m-files serverlt22.12.12140.3

CPE	Name	Operator	Version
m-files:m-files_server	m-files m-files server	lt	22.12.12140.3

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "M-Files New Web",
    "vendor": "M-Files",
    "versions": [
      {
        "lessThan": "22.12.12140.3",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

References

www.m-files.com/about/trust-center/security-advisories/cve-2022-4862/