Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0 in certain type of user accounts allows unlimited amount of attempts and therefore makes brute-forcing login accounts easier.
9.8CVSS
9.3AI Score
0.003EPSS
In M-Files Server product with versions before 21.11.10775.0, enabling logging of Federated authentication to event log wrote sensitive information to log. Mitigating factors are logging is disabled by default.
2.3CVSS
3.9AI Score
0.0004EPSS
SSRF vulnerability in M-Files Server products with versions before 22.1.11017.1, in a preview function allowed making queries from the server with certain document types referencing external entities.
4.3CVSS
4.6AI Score
0.001EPSS
Admin tool allows storing configuration data with script which may then get run by another vault administrator. Requires vault admin level authentication and is not remotely exploitable
5.2CVSS
5.3AI Score
0.001EPSS
Incorrect privilege assignment in M-Files Server versions before 22.3.11164.0 and before 22.3.11237.1 allows user to read unmanaged objects.
4.3CVSS
4.6AI Score
0.001EPSS
Error in parser function in M-Files Server versions before 22.6.11534.1 and before 22.6.11505.0 allowed unauthenticated access to some information of the underlying operating system.
5.3CVSS
5.2AI Score
0.001EPSS
Download key for a file in a vault was passed in an insecure way that could easily be logged in M-Files New Web in M-Files before 22.11.12011.0.This issue affects M-Files New Web: before 22.11.12011.0.
7.5CVSS
7.5AI Score
0.002EPSS
Incorrect privilege assignment issue in M-Files Web in M-Files Web versions before 22.5.11436.1 could have changed permissions accidentally.
2.6CVSS
4.2AI Score
0.001EPSS
Insertion of Sensitive Information into Log Files in M-Files Server before 22.10.11846.0 could allow to obtain sensitive tokens from logs, if specific configurations were set.
7.5CVSS
7.3AI Score
0.002EPSS
Rendering of HTML provided by another authenticated user is possible in browser on M-Files Web before 22.12.12140.3. This allows the content to steal user sensitive information. This issue affects M-Files New Web: before 22.12.12140.3.
7.6CVSS
5.9AI Score
0.001EPSS
User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolled memory consumption.
6.5CVSS
6.4AI Score
0.001EPSS
User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolled memory consumption.
7.5CVSS
7.5AI Score
0.001EPSS
User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolled memory consumption for a scheduled job.
7.5CVSS
6.8AI Score
0.001EPSS
Desktop component service allows lateral movement between sessions in M-Files before 23.4.12455.0.
7.8CVSS
5.6AI Score
0.0004EPSS
Unchecked parameter value in M-Files Server in versions before 23.6.12695.3 (excluding 23.2 SR2 and newer) allows anonymous user to cause denial of service
7.5CVSS
7.3AI Score
0.001EPSS
A possibility of unwanted server memory consumption was detected through the obsolete functionalities in the Rest API methods of the M-Files server before 23.11.13156.0 which allows attackers to execute DoS attacks.
7.5CVSS
7.6AI Score
0.0005EPSS
Missing access permissions checks in the M-Files server before 23.11.13156.0 allow attackers to perform data write and export jobs using the M-Files API methods.
5.3CVSS
4.9AI Score
0.0005EPSS
Under rare conditions, the effective permissions of an object might be incorrectly calculated if the object has a specific configuration of metadata-driven permissions in M-Files Server versions 23.9, 23.10, and 23.11 before 23.11.13168.7, potentially enabling unauthorized access to the object.
8.8CVSS
6.9AI Score
0.001EPSS
A vulnerable API method in M-Files Server before 23.12.13195.0 allows for uncontrolled resource consumption. Authenticated attacker can exhaust server storage space to a point where the server can no longer serve requests.
6.5CVSS
6.4AI Score
0.0004EPSS
Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords.
9.8CVSS
8.8AI Score
0.001EPSS
A path traversal issue in API endpoint in M-Files Server before version 24.8.13981.0 and LTS 24.2.13421.15 SR2 and LTS 23.8.12892.0 SR6 allows authenticated user to read files
6.5CVSS
6.3AI Score
0.001EPSS