Description
Permissions bypass in M-Files Connector for Copilot before version 24.9.3 allows authenticated user to access limited amount of documents via incorrect access control list calculation
Affected products
M-Files Connector for Copilot before 24.9.3
More information
Specific scenarios using metadata based permissions may have allowed accessing data, the user should not have access. To fix the vulnerability, it is required to update to Connector for Copilot to version 24.9.3 or newer. CVSS 4.0 CVSS-B Score: 5.3 CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N CWE: CWE-281: Improper Preservation of Permissions CAPEC: CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels Internal ID: 171378 Date issued: 2024-09-25
Exploitability
Publicly disclosed: No Exploited: No Probability of exploitation: low – internally found
