Description
Incorrect privilege assignment in M-Files Server versions before 23.3.11164.0 and before 23.3.11237.1 allowed reading of unmanaged objects.
Affected products
All M-Files Server versions before 22.3.111.64.0 and before 22.3.11237.1.
More information
“See and undelete deleted objects” permission incorrectly gives access to read undeleted unmanaged objects. CVSS 3.1 Score: 2.4 CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N CWE: CWE-269 Improper Privilege Management CAPEC: CAPEC-233 Privilege Escalation Internal ID: 161409
