Description
Execution of downloaded content flaw in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows Remote Code Execution
Affected products
M-Files Web Companion before 23.10 M-Files Web Companion before 23.8 LTS SR1
More information
The vulnerability requires user interaction to be exploitable. The vulnerability is fixed in release version 23.10 and in Long Term Service releases 23.8 SR1. Web Companion was not included in Long Term Service release 23.2, so that is not affected. The vulnerability is in Web Companion and to mitigate this vulnerability it is necessary to update M-Files Server and then Web Companion. Web Companion does not automatically update to the users that have it installed, they need to accept update suggest it when they open M-Files Web after M-Files is updated. If the user does not have Web Companion installed, the vulnerability does not apply even with M-Files Release before 23.10. CVSS 3.1 Base Score: 8.6 CVSS 3.1 Temporal Score: 7.7 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C CWE: CWE-829 Inclusion of Functionality from Untrusted Control Sphere CAPEC: CAPEC-253 Remote Code Inclusion Internal ID: 168401 Date issued: 2023-10-19 Credits: Anton Keskisaari / Second Nature Security
Exploitability
Publicly disclosed: No Exploited: No Propability of exploitation: low – responsibly reported
