Description
An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users.
Affected products
M-Files Server before 25.12.15491.7 M-Files Server before LTS 25.8 SR3 (25.8.15085.18) M-Files Server before LTS 25.2 SR3 (25.2.14524.14) M-Files Server before LTS 24.8 SR5 (24.8.13981.17)
More information
The vulnerability exists in M-Files Web and requires an authenticated attacker. The victim must be actively using M-Files Web and doing specific client operations. An attacker could obtain session tokens of other users to impersonate them and perform actions with their identity and permissions. CVSS 4.0 Base Score (CVSS-B): 8.6 CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CWE: CWE-359: Exposure of Private Personal Information to an Unauthorized Actor CAPEC: CAPEC-60: Reusing Session IDs (aka Session Replay) Internal ID: CE-2194 Date issued: 2025-12-19 Alternate IDs: EUVD-2025-204468
Exploitability
Publicly disclosed: No Exploited: No Probability of exploitation: Low - responsibly reported
Links
History
2025-12-19 Published
