Description
M-Files has disputed this CVE. The described overlapping ranges problem appears on Microsoft’s Internet Information Server regardless it having an M-Files Web application or not when serving static content such as image files. Problem is reproducible on other IIS servers if one requests for a static image file and forges overlapping range header. M-Files Web before 20.10.9524.1 allows a denial of service via overlapping ranges (in HTTP requests with crafted Range or Request-Range headers). NOTE: this is disputed because the range behavior is the responsibility of the web server, not the responsibility of the individual web application.
Affected products
M-Files Classic Web
More information
Range behavior observable only with static content directly served by the underlying web server. M-Files would like to thank Murat Aydemir from Accenture Cyber Security Team (Prague CFC) for bringing this to our attention.
