Description
User with a local access to Windows with installed M-Files Desktop or Admin tools could gain SYSTEM privileges.
Affected products
M-Files version before 22.6.
More information
User with a local access to Windows with installed M-Files Desktop or Admin tools could gain SYSTEM privileges. This vulnerability does not grant any additional access or privileges to the document vault or M-Files Server. The threat is towards the user’s local Windows operating system only and possible lateral movement with additional operating system privileges. Malicious entity needs to be authenticated and logged-in to Windows to be able to use this vulnerability. CVSS 3.1 Score: 8.8 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CWE: CWE-427: Uncontrolled Search Path Element CAPEC: CAPEC-471: Search Order Hijacking Internal ID: None Credits: Alexander Staalgaard / Banshie
